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PRIORITY IN PROCESS ALGEBRAS 


RANCE CLEAVELANDt, GERALD LUTTGEN* * * § , AND V. NATARAJAN$ 

Abstract. This paper surveys the semantic ramifications of extending traditional process algebras with 
notions of priority that allow for some transitions to be given precedence over others. These enriched 
formalisms allow one to model system features such as interrupts , prioritized choice , or real-time behavior. 

Approaches to priority in process algebras can be classified according to whether the induced notion of 
pre-emption on transitions is global or local and whether priorities are static or dynamic . Early work in the 
area concentrated on global pre-emption and static priorities and led to formalisms for modeling interrupts 
and aspects of real-time, such as maximal progress , in centralized computing environments. More recent 
research has investigated localized notions of pre-emption in which the distribution of systems is taken into 
account, as well as dynamic priority approaches, i.e., those where priority values may change as systems 
evolve. The latter allows one to model behavioral phenomena such as scheduling algorithms and also enables 
the efficient encoding of real-time semantics. 

Technically, this paper studies the different models of priorities by presenting extensions of Milner’s 
Calculus of Communicating Systems (CCS) with static and dynamic priority as well as with notions of 
global and local pre-emption. In each case the operational semantics of CCS is modified appropriately, 
behavioral theories based on strong and weak bisimulation are given, and related approaches for different 
process-algebraic settings are discussed. 

Key words, process algebra, priority, pre-emption, bisimulation 

Subject classification. Computer Science 

1. Introduction. Traditional process algebras [6, 37, 40, 52] provide a framework for reasoning about 
the communication potential of concurrent and distributed systems. Such theories typically consist of a simple 
calculus with a well-defined operational semantics [1, 63] given as labeled transition systems ; a behavioral 
equivalence is then used to relate implementations and specifications, which are both given as terms in 
the calculus. In order to facilitate compositional reasoning , in which systems are verified on the basis of 
the behavior of their components, researchers have devoted great attention to the definition of behavioral 
congruences , which allow the substitution of “equals for equals” inside larger systems. 

Although many case studies (see e.g. [2]) prove the utility of the process-algebraic approach to system 
modeling and verification, many systems in practice cannot be modeled accurately within this framework. 
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One reason is that traditional process algebras focus exclusively on expressing the potential nondeterminism 
that the interplay of concurrent processes may exhibit; they do lot provide any means for encoding differing 
levels of urgency among transitions that might be enabled from a given system state. Typical examples of 
urgency include: 


• interrupts, where non-urgent transitions at a state are pre-empted whenever an interrupt is raised; 

• programming language constructs, such as the PR] ALT construct in Occam [41], that impose an 
order on transitions; 

• real-time behavior that, is semantically founded on the well-known synchrony hypothesis [13] or 
maximal progress assumption [74]; and 

• scheduling algorithms which also rely on the concept of pre-emption. 

In each of these cases urgency provides a means for restricting nondeterminism. This mechanism is simply 
ignored in traditional process algebras. As a consequence, the resulting system models are often not faithful 
since they contain spurious paths that cannot be traversed by the real-world systems themselves [16, 28]. 



Fig. i.l. A simple example system 

As a simple example of the need for integrating concepts of urgency in process algebra consider the 
interrupt-based system depicted in Figure LI. It consists of ;wo processes, A that flips back and forth 
between two states and B that checks if A is running properly. Whenever B receives a check message it 
requests status information from A via interrupt port i wdiich ii turn responds by ok. In the absence of an 
indication that a communication on i is more urgent than one o 1 back and forth, the process A can ignore 
a check request indefinitely. 

1.1. Classification of Approaches to Priority. A number of approaches have been proposed for 
taking into account different aspects of priority [4, 12, 16, 20, 21, 22, 23, 25, 27, 28, 31, 33, 35, 42, 43, 44, 
48, 49, oO, 08, 59, 65, 68, 69]. One may classify these approaches according to the following tw r o criteria. 

Static vs. dynamic priority: 

In static approaches, transitions are assigned priority values that do not change as the system 
under consideration evolves. These schemes find applic ition in the modeling of interrupts 
or prioritized choice constructs. In the former case, in errupts have a fixed urgency level 
associated with them; in the latter, priorities of transitions are fixed by the static program 
syntax. Almost all priority approaches to process algeb a published so far deal with static 
priorities. The exceptions are [16, 21], which present models that allow priority values 
of transitions to change as systems evolve. Such dyna nic behavior is useful in modeling 
scheduling approaches and real-time semantics. 
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Global vs. local pre-emption: 


This criterion refers to the scope of the priority values. In the case of centralized systems, 
priorities generally have a global scope in the sense that transitions in one process may 
pre-empt transitions in another. We refer to this kind of pre-emption, which has been 
advocated by Baeten, Bergstra, and Klop [4] and by Cleaveland and Hennessy [25] in the 
late eighties, as global pre-emption. In contrast, in a distributed system containing several 
sites, transitions should only be allowed to pre-empt those at the same site. This kind of 
pre-emption, which was first studied by Camilleri and Winskel [23] in the early nineties, is 
called local pre-emption . 

Based on this classification scheme the body of this paper investigates the following different semantics for 
a prototypical process-algebraic language: static/global , static/local, and dynamic /global The combination 
of dynamic priority and local pre-emption, on which research has not yet been carried out, is omitted. 

Some caveats about terminology are in order here. Other process algebra researchers have used the term 
“pre-emption” in a setting without priorities [17]; in their usage pre-emption occurs when the execution 
of one transition removes the possibility of another. In our priority-oriented framework, we say that pre- 
emption occurs when the presence of one transition disables another transition. Berry [12] refers to this latter 
notion as must pre-emption and to the former as may pre-emption. In this article, whenever w r e speak of 
“pre-emption” we mean “must pre-emption.” It should also be noted that our concept of global pre-emption 
and dynamic priority differs from the notion of globally dynamic priority found in [68]; as the distinction is 
somewhat technical we defer further discussion on this point to later in the article. 

1.2. Summary. This paper surveys existing work on priority in process algebras. In order to focus 
on some of the technical issues involved with priority and pre-emption, we introduce a simple framework 
for their illustration. This framework extends Milner’s Calculus of Communicating Systems (CCS) [52] and 
its bisimulation- based semantic theory by attaching priority values to actions. Although familiarity with 
CCS is not a prerequisite for reading this article, some knowledge of it would be advantageous since not 
all standard definitions and notations are re-stated here. For our language three different semantics are 
given: one reflecting static priorities and global pre-emption, one for static priorities and local pre-emption, 
and one capturing dynamic priorities and global pre-emption. The common language allows for a detailed 
comparison of the semantic concepts; in addition, the classification scheme presented above helps us to cate- 
gorize most published approaches to priority. These have been proposed for a variety of w r ell-known process 
algebras, such as the already mentioned CCS, the Algebra of Communicating Processes (ACP) [8], Commu- 
nicating Sequential Processes (CSP) [40], the Calculus of Broadcasting Systems with Priorities (PCBS) [65], 
Synchronous CCS (SCCS) [52], and Asynchronous Communicating Shared Resources (ACSR) [22]. 

Technically, for the process algebras with static priority to be presented in this paper we develop a 
semantic theory based on the notion of bisimulation [52, 61]. Our aim is to carry over the standard algebraic 
results from CCS [52], including abstractness theorems as well as axiomatic , logical , and algorithmic char- 
acterizations. More precisely, we investigate both strong and weak bisimulations that are based on naive 
adaptations of the standard definitions as given by Milner; we especially characterize the largest congruences 
contained in these relations. These abstractness results indicate that the behavioral relations are semantically 
adequate and useful for formally reasoning about concurrent and distributed systems. Moreover, we present 
sound and complete axiomatizations for the obtained strong bisimulations with respect to finite processes, 
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i.e., those which do not contain recursion. These axiomatizatio is testify to the mathematical tractability of 
the semantic theories presented here. We also characterize the attendant notions of prioritized strong and 
weak bisimulations as standard bisimulations on alternative transition relations so that well-known partition- 
refinement algorithms [46, 60] for their computation become applicable. This also allows for establishing 
logical characterizations of the behavioral relations by adapting Hennessy- Milner logic [19, 52]. In the case 
of the dynamic priority semantics, we prove a one-to-one correspondence with traditional real-time semantics 
in terms of strong bisimulation. Because of this close relationship semantic theories developed for real-time 
process algebras can be carried over to the dynamic priority sei ting. 

1.3. Organization. The remainder of this paper is organized as follows. The next section introduces 
our language, defines some formal notations used throughout the paper, and discusses some basic design 
decisions we have taken. Section 3 presents a semantics of the anguage based on static priority and global 
pre-emption; Section 4 then develops a semantics based on static priority and local pre-emption. A dynamic 
priority approach is illustrated in Section 5. Related work is refeired to in each of the last three sections, while 
Section 6 surveys several priority approaches adopted for different process-algebraic frameworks. Section 7 
contains our conclusions and suggestions for future work. The final section points to the most relevant 
sources of the research compiled in this article. 

2. Basic Language and Notation. As mentioned above, the language considered here is an extension 
of Milner s CCS [52], a process algebra characterized bv handshale communication and interleaving semantics 
for parallel composition. Syntactically, CCS includes notations for visible actions , which are either sends or 
receives on ports, and a distinguished invisible , or internal action. The semantics of CCS is then given via 
a transition relation that labels execution steps with actions. When a sender and receiver synchronize, the 
resulting action is internal. Consequently, transitions labeled by visible actions can be seen as representing 
only potential computation steps, since in order for them to occur they require a contribution from the 
environment. Transitions labeled by internal actions describe complete synchronizations and therefore should 
be viewed as “real” computation steps. 

In order to capture priorities, the syntax of our language differs from CCS in that the port set exhibits a 
priority scheme, i.e., priorities are attached to ports. Our notion of pre-emption then stipulates that a system 
cannot engage in transitions labeled by actions with a given prion ty whenever it is able to perform a transition 
labeled by an internal action of a higher priority. In this case we say that the lower-priority transition is 
pre-empted by the higher-priority internal transition. In accordance with the above discussion visible actions 
never have pre-emptive power over actions of lower priority because visible actions only indicate the potential 
for execution. An algebraic justification of this design decision <an be found in Section 3.5. 

Technically, priority values are taken from some finite domain equipped with a strict order. For the sake 
of simplicity we use finite initial intervals M of the natural numb* rs in what follows. We adopt the convention 
that smaller numbers mean higher priorities; so 0 is the highest priority. Intuitively, visible actions represent 
potential communications that a process may be willing to engage in with its environment. Formally, let 
{A* | k 6 A r } denote an A' -indexed family of countably infinite, c isjoint. sets of ports. Intuitively, A* contains 
the ports with priority k that processes may synchronize over. Then the set of actions A k with priority k 
may be defined by A k = df A* U A k U {r fc }, where A* = df {A | A € A*} and r k (£ A*. An action X:k e A* 
may be thought of as representing the receipt of an input on port A that has priority k, while A :k e A k 
constitutes the deposit of an output on A. The invisible actions i k represent internal computation steps with 
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priority k. For better readability we write A : A: if A G A* and r:k for r*. The set of all ports A and the 
set of all actions A are defined by (J{A* | k G A/ } and (J{*4fc | k G A"}, respectively. In what follows, we use 
a : k , /3 : A, . . . to range over A and a : A, 6 : A, . . . to range over A U A. We also extend " to all visible actions 
a : k by a : k = c jf a : k. Finally, if L C A \ {r : k \ k G A } then L = {a: A’ | a : A: G L}. The syntax of our language 
is defined by the following BNF. 

P ::= 0 | x | a:A.P | P + P | P|P | P[f] \ P\L \ px.P . 

Here / is & finite relabeling , i.e., a mapping on „4 which satisfies f(r:k) = r : A: for all k G A\ /(a: A) = /(a: A:) 
for all a: A G *4 \ { 7- : A* | A* G A r } and | {a:A| /(a:A) ^ a : A} | < oc. Moreover, a relabeling preserves priority 
values, i.e., for all a: A G A \ {r:k \ k G A"} we have /(a: A) = b:k for some b:k G Ak \ { t* } . Furthermore, 
the restriction set L is a subset of A \ {r:k\k G A }, and x is a variable taken from a set V. Sometimes 
it is convenient to write C = P for pC.P where the identifier C is interpreted as variable. We adopt the 
standard definitions for sort of a process, free arid bound variables , open and dosed terms , guarded recursion , 
and contexts [52]. We refer to closed and guarded terms as processes and use P, Q, P, . . . to range over the 
set V of processes. Finally, we denote syntactic equality by =. 

Although our framework allows for multi-level priority schemes we often restrict ourselves to a two-level 
priority framework, i.e. we choose A r — {0, 1}. The reason is that even in this simple setting most central 
semantic and technical issues regarding the introduction of priority to process algebra can be illustrated. 
However, we also discuss how the obtained results can be carried over to multi-level priority-schemes. In 
order to improve readability within the two-level priority-scheme we often write a for the “prioritized” 
action o:0, a for the “unprioritized” action a:l, A for Aq, and .4 for A\. Moreover, we let 6 and 7 
represent elements taken from A U A. Finally, we want to emphasize again that a and a are considered 
to be different ports; i.e., the priority value is part of a port and not of an action. Thus, in a CCS-based 
framework only complementary actions having the same priority value can engage in a communication. 
We discuss the consequences of lifting this restriction in Section 3.7 for frameworks involving global pre- 
emption and in Section 4.6 for those involving local pre-emption. It should be remarked that the dynamic 
priority approach presented in Section 5 also differs in its interpretation of ports, actions, and priority values. 
Finally, our language does not provide any means for changing priority values of actions. However, we will 
discuss in Section 3.5 the effect of introducing additional operators to our language, called prioritization and 
deprioritization , which respectively increase and decrease priority values. 

3. Static Priority and Global Pre-emption. In this section we introduce a semantics of our lan- 
guage, restricted to a two- level priority-scheme, based on static priority and global pre-emption. We refer to 
this language as CCS sg (CCS with static priority and global pre-emption) and develop its semantic theory 
along the lines mentioned in Section 1.2. The organization of this section is as follows. Section 3.1 formally 
introduces the operational semantics for CCS sg . The following two sections show how to adapt the notions 
of strong bisiinulation and observational congruence to CCS sg , respectively. Section 3.4 applies the semantic 
theory to our introductory back-and-forth example. The consequences of adding prioritization and deprior- 
itization operators to CCS sg are discussed in Section 3.5. Finally, Section 3.6 comments on the extension of 
CCS sg to multi-level priority-schemes whereas Section 3.7 presents our concluding remarks and related work. 

3.1. Operational Semantics. The semantics of a process P G V is given by a labeled transition 
system (P, A, — ><P), where V is the set of states , A is the alphabet , — > C V x A x V is the transition 
relation formally defined to be the least relation satisfying the operational rules in Plotkin-style notation [63] 



presented in Table 3.2, and P is the start state. We write I A* P' instead of (P,j,P') e * and say 

that P may engage in action 7 and thereafter behave like process P' . Moreover, we let P -L+ stand for 
3P' € V.P — > P'- The presentation of the operational rules requires prioritized initial action sets 1(P) 
which are defined as the smallest sets satisfying the equations in Table 3 . 1 . Intuitively, 1 (P) denotes the set 
of all prioritized actions in which P can initially engage. For convenience we also write TL(P) for J(P) \ {t}. 

Table 3.1 

Prioritized initial action sets for CCS 5 * 


I(tt-P) = {«} Kfix.P) = l{P[px.P/x]) 

2{P + Q) = I(P)UI(Q) 1(P\Q) = I(P)Ul(Q)U{r|I(P)nl(0) #0} 

Z(P[fl) = {/(a)lfl€Z(P)} 1(P\L) = l(P)\(LuL) 


Table 3.2 

Operational semantics for 7CS S * 


Act 


Suml 


Sum2 


Coml 


Com2 


Com3 


Rel 


Res 


Rec 


a.P — > P 

P A P f 

P + Q -=4 P 1 

Q^>Q' 

P + Q^>Q' 

P A p' 

P\Q-^P'\Q 

P\Q*+P\Q< 

pAt q-Aq' 
P\Q-^P'\Q' 


p A P' 


P[f] ^ P'if] 


Act 


Suml 


a.P —4 P 
P £4 P* 

p+~Q J% ft 


z i uq) 


Sum2 — — r $ 1(P) 


Coml 


Com2 


P + Q-^Q' 
P -A P' 

p|c»-4p»|g 

< >-Aq' 
P|C -4 P|Q' 


LiUP\Q) 


zil(P\Q) 


_ „ p -A P' g Ao' 

Com3 —2. — - t 4. 1(P I Q) 

P'Q-^P'\Q' ~ 

P 21+ p> 


Rel 


P' 


P\L -A P' \L 

P\px^PJx\ -A P 1 
px.P -A P' 


a ^ L U L Res 


Rec 


P[f] ^ *”[/] 


P -A P' 


p\;Af\l 

Pfrtt-.P/a:] -A P f 
/n:.P -A P' 


a £ L\J L 
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The rules in Table 3.2 capture the following operational behavior. The process 7 .P may engage in 
action 7 and then behave like P . The summation operator 4 - denotes nondeterministic choice. The process 
P 4- Q may behave like process P (Q) if Q (P) does not pre-empt an unprioritized transition by performing 
a prioritized internal transition. The restriction operator \L prohibits the execution of transitions labeled 
by actions in L U L and, thus, permits the scoping of actions. P[f] behaves exactly as process P with 
the actions renamed with respect to /. The process P \ Q stands for the parallel composition of P and Q 
according to an interleaving semantics with synchronized communication on complementary actions on the 
same priority value resulting in the internal action r or r. However, if Q (P) is capable of engaging in a 
prioritized internal transition, then unprioritized transitions of P ( Q ) are pre-empted. Finally, px.P denotes 
a recursively defined process that is a distinguished solution to the equation x — P. 


3.2. Semantic Theory Based on Strong Bisimulation. The semantic theory for CCS sg is based 
on the notion of bisimulation [52, 61]. First, strong bisimulation [52] is adapted from CCS to our setting as 
follows; we refer to this relation as prioritized strong bisimulation. 

Definition 3.1 (Prioritized Strong Bisimulation). A symmetric relation TZCPxVis called a priori- 
tized strong bisimulation if for every (P, Q) £ 7Z and 7 £ A the following condition holds. 

P -4 P' implies 3 Q'. Q-Z+Q' and (P' , Q') € U . 

We write P ~ Q if (P, Q) £ 1Z for some prioritized strong bisimulation 7Z. 

It is easy to see that ~ is an equivalence and that it is the largest prioritized strong bisimulation. The 
following result, which enables compositional reasoning, can be proved straightforwardly using standard 
techniques [ 1 , 25, 72]. 

Theorem 3.2. ~ is a congruence. 

An axiomatization of ~ for finite processes, i.e., guarded and closed CCS sg terms not containing recursion, 
can be developed closely along the lines of [25]. We write h t = u if process term t can be rewritten to 
u using the axioms in Table 3.3, which correspond to the axioms presented in [52] except that Axiom (P) 
dealing with global pre-emption has been added. In Expansion Axiom (E) the symbol stands for the 
indexed version of 4 - , where the empty sum denotes the inaction process 0. The next theorem states that 
our equations characterize prioritized strong bisimulation for finite CCS sg processes. Its proof can be found 
in [25]; it uses the technique described in [52]. 

Theorem 3.3. Let t and u be finite processes. Then t ~ u if and only if F t = u. 


3.3. Semantic Theory Based on Weak Bisimulation. The behavioral congruence developed in the 
previous section is too strong for verifying systems in practice, as it requires that two equivalent terms match 
each other’s transitions exactly, even those labeled by internal actions. In process algebra one remedies this 
problem by developing a semantic congruence that abstracts away from internal transitions. We start off 
with the definition of a naive prioritized weak bisimulation which is an adaptation of Milner’s observational 
equivalence [52]. 

Definition 3.4 (Naive Prioritized Weak Transition Relation). 


1 . 

2 . 

3. 


t dj t —df — — df Qi.f and ci — df n 

=^ x = df (^ u -4)* 

2 v t ' 7 ( ' 

— -4 x — df —p x 0 0 — -4 x 
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Table 3.3 

Axiornatization of cz 


(Al) 

t + u = u + t 

(A2) 

t 4- (u 4- v) = (t. + u) 4- v 

(A3) 

t + t, = t 

(A4) 

t + o = t 

(E) 

Let t ~ 52j 7 i.ti and u = Sj.uj. Then 




t\ u = 52i u ) d" 52 j 1 u j) t 




E 7iS j7l2:.«.-|«i)hi6 4}) + E 7iS jj 

\T.(ti\ U j 

) 1 7< e A}) 

(Resl) 

0\L = 0 

(Rell) 

0[/] = 0 

(Res2) 

('y.t)\L = 0 (jeLLiL) 

(Rel2) 

(7 -<)[/] = /(7)- (<[/]) 

(Res3) 

(j.t)\L = y.(t\L) (7 ^ L U I) 

(Rel3) 

(t + «)[/] = t[f) + u[f } 

(Res4) 

(t + u)\L = (t\L) + (u\L) 

(P) 

T.t + a.u — T.t 


Observe that, this transition relation abstracts from priority levels for This is in accordance with the 

fact that a priority value is part of an action and, thus, is unobservable for internal actions. 

Definition 3.5 (Naive Prioritized Weak Bisimulation). A symmetric relation 1Z C V x V is a naive 
prioritized weak bisimulation if for every (P, Q) E 1Z, and 7 E A the following condition holds. 

P —4 P' implies BQ'.Q => x Q ' and <P',Q') E 1Z . 

We unite P^ X Q if there exists some naive prioritized weak bisimulation 7Z such that (P,Q) € 1Z. 

Naive prioritized weak bisimulation can be shown to be an equivalence. Unfortunately, is not a congruence 
for CCS sg with respect, to parallel composition, summation, and recursion. Whereas the compositionality 
defec t for summation and recursion is similar to the one for COS [52], the defect with respect to parallel 
composition is due to pre-emption. As an example consider ti e processes P = f a.O + 6. 0 and Q = f a.O + 
r.(a.O + 6. 0). It is easy to see that P^ x Q- However, when composing these processes in parallel with the 
process 6. 0 then Q | 6.0 ^4 0 1 6.0 whereas P | 6.0 x , i.e., P 6.0 fi x Q | 6.0. This example shows that 
one has to be more careful when defining the prioritized weak transition relation since transitions labeled 
bv visible actions may turn to internal transitions when composed with an environment and, thereby, may 
gain pre-emptive power. Consequently, a more adequate notion of weak transitions must take the potential 
of processes engaging in visible prioritized transitions into accou it. 

3.3.1. Prioritized Weak Bisimulation. Despite its lack of compositionality, the above definition of 
~x reflects an intuitive approach to abstracting from internal computation. For handling the congruence 
problem it is important to consider the following fact from universal algebra. 

Proposition 3.6. Let 1Z be an equivalence over an algebra ft. The largest congruence 7v+ in 1Z exists 
andlZ + = {(P, Q) | V ^-contexts C[X]. (CfP], C[<5]) 6 7Z }, where an ft- context C[ X] is a term in ft with one 
free occurrence of the variable A". 

Thus, we know that contains a largest congruence «+ for CCS sg and devote the rest of this section to 
characterizing % x . We first define a new weak transition relatior which takes pre-emption into account. 
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Definition 3.7 (Prioritized Weak Transition Relation). Let L C A \ {r}. 

(i) Z=dfC 1 T= d f€,a- ( ifa i anda — d fa (iv) ==> = d j (-=+ U -A )* 

(it) PA?' ifP-2+P* andX{P)QL (v) 

(Hi) =^> ~df (vi) ~ d f =J> O o =k> 

Intuitively, we have made the transition relation sensitive to pre-emption by introducing conditions involving 
prioritized initial action sets and by preserving priority levels of internal actions. In the remainder, we show 
that prioritized initial action sets are an adequate means for measuring pre-emption potentials. In this light, 
P P* states that P can evolve to P 1 by performing the unprioritized action a if the environment does not 
offer any prioritized communication on some port in L. 

Definition 3.8 (Prioritized Weak Bisimulation). A symmetric relation 7Z C V x V is a prioritized 
weak bisimulation if for every (P, (?) £ 71, a£ A , and a £ A the following conditions hold. 

1 . rgZ(P) implies 3Q'.Q=>Q', MQ') Q L where L = 2T(P), r £ 1(Q'), and (P,Q f ) £ 71. 

2. P P l implies 3Q l . Q =i> Q‘, and <P, Q ') £ 71. 

3. P P' implies 3Q‘.Q=>Q', where L = 2£(P), and <P\C?'> £ 71. 

We write P ~Q if (P, (?) £ 7Z for some prioritized weak bisimulation 7Z. 

This new version of weak bisimulation is algebraically more robust than the naive one; in fact. Condition (1) 
of Definition 3.8 is necessary for achieving compositionality with respect to parallel composition. 

Proposition 3.9. The equivalence « is a congruence with respect to prefixing , parallel composition , 
relabeling, and restriction. Moreover , % is characterized as the largest congruence contained in « x , in the 
sub-algebra of CCS 58 induced by these operators and recursion. 

Although « is itself not a congruence, this relation provides the basis for obtaining a congruence as is made 
precise in the next section. 


3.3.2. Prioritized Observational Congruence. The compositionality defect of « with respect to 
summation is handled in the following notion of prioritized observational congruence. Unfortunately, the 
summation fix presented in [52], which requires an initial internal transition to be matched by a nontrivial 
internal weak transition, is not sufficient in order to achieve a congruence based on prioritized weak bisim- 
ulation. To see why, let D — r.E and E == r.D. Now define P^= r.D and Q^r.E. By Definition 3.8 we 
may observe P «(?, but P + a.O Q + a.O since the former can perform an a-transition whereas the latter 
cannot. It turns out that we have to require that observationally congruent processes must possess the same 
prioritized initial action sets; a requirement which is stronger than the property stated in Condition (1) of 
Definition 3.8. 

Definition 3.10. Define Pps 1 Q if for all a £ A and a £ A the following conditions and their symmetric 
counterparts hold. 

1. X{P)DI{Q) 

2. P -=* P l implies 3 Q* Q Q ’ and P f &Q f . 

3. P P ( implies 3Q’.Q^Q', where L = 2T(P) , andP'nQ'. 

The following theorem states the desired algebraic result for w 1 . 

THEOREM 3.11. is the largest congruence contained in « x , Le., 
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Whereas the proof of the congruence property of w 1 is standa'd (cf., [52]), the ‘‘largest” part is proved by 
using the following fact from universal algebra. 

PROPOSITION 3.12. Let 1Z\ and 1Z 2 be equivalences over an algebra 3? such that P+ C fZ 2 C 'R x . Then 

Kt = ^2 • 

For the purposes of this section one chooses U i = « x and R 2 -= «. The next theorem establishes Tit = 
and can be proved as a corresponding one in [52]; for details se? [50]. 

THEOREM 3.13. is the largest congruence contained ir 

In order to apply Proposition 3.12, the relation «+ C « C needs to be shown. The inclusion « C 
follows immediately from the definition of the naive prioritized weak and the prioritized weak transition 
relation. Thus one is left with «+ C This inclusion turns out to be difficult to prove directly. Therefore, 
the auxiliary relation = d f {(P, Q) I Cpq[P\ ~x Cpq[Q]} defined which lies in between and Here, 

writing 5 for the (finite) union of the prioritized sorts of P and Q, let Cpq[X] = f A" | H PQ and 

/ d hr H PQ + \ 

HpQ f =c. 0+ r. D L --e.H PQ + I. 

Lcs,bes b.Hpq ) 

Moreover, Di is defined as an d Hie actions c, t ,e for all L C 5 and 6 € S, and their comple- 

ments, are supposed to be “fresh” actions, i.e., not in SuS. By Proposition 3.6 we may conclude C « a . 
The other necessary inclusion ^ C is established by showing that ^ is a prioritized weak bisimulation; 
the proof details can be found in [50]. Summarizing, Theorem 3.11 is a consequence of Proposition 3.12, as 
is illustrated by Figure 3.L where an arrow from relation Pi tc relation P 2 means that R\ C P 2 . 



Fig. 3.1. Situation in the proof of 'j'heorem 3.11 

3.3.3. Operational Characterization. The aim of this s action is to show how prioritized weak bisim- 
ulation can be efficiently computed by adapting standard partit ■ on-refinement algorithms [46, 60] developed 
for strong bisimulation [52]. To this end, we provide an operational characterization of prioritized weak 
bisimulation as strong bisimulation by introducing an alternath e prioritized weak transition relation. 

Definition 3.14. For P,P' e V, a e A, and a € A define 
1 • =^*=d/=4 and 

2. P P' if 3P" eV.r$ Z(P") and P P" A P' for L = 2T(P"). 
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Observe that the alternative prioritized weak transition relation is not parameterized by prioritized initial 
action sets. Its computation can be done efficiently using dynamic programming techniques. 

Definition 3.15. A symmetric relation 7Z C V xP is called an alternative prioritized weak bisimulation 
if for all (P, Q) € R and 7 (E A U A the following condition holds . 

P =^>, P' implies 3Q'. Q =4. Q' and <P\Q') G U . 

We write P Q if (P, Q) € R for some alternative prioritized weak bisimulation R. 

Theorem 3.16 (Operational Characterization), « = 

The proof is omitted since this characterization result can be established straightforwardly [50]. However, 
it should be mentioned that the above characterization can also be used as a basis for defining a Hennessy- 
Milner logic along the lines of [52] (see also [50]). 

3.4. Example. As a simple example, we take a look at the back-and-forth system introduced in Sec- 
tion 1 which can be formalized in CCS sg as follows: Sys d =(A\B) \ {/} where A f = f back.A/ + i.r.ok.i.A, 
A! — forth.A i.r.oY.i.A\ and B = check d.i.B. Intuitively, i is an internal interrupt , and thus prioritized 
and restricted (via \{i}), which is invoked whenever check is executed. Hence, in such a state the process A 
cannot engage in a transition labeled by back or forth according to our pre-emptive operational semantics, 
but must accept the communication on the prioritized port L One can think of the r-action in the definition 
of process A as representing some internal activities determining the current status of the system. The CCS sg 
semantics of Sys is shown in Figure 3.2. 


back 



In the sequel, we prove that Sys meets its intuitive specification Spec, which is given by 

ciof* 

Spec = back.Spec' + check. ok. Spec 
Spec' = f forth.Spec + check. ok. Spec 7 . 

First, the validity of Sys & Spec is proved by the relation presented in Table 3.4 whose symmetric closure is 
a prioritized weak bisimulation that contains (Sys, Spec). 

In addition, both processes only possess visible initial actions, and their prioritized initial action sets are 
identical. Hence, we may conclude Sys Spec. Contrast this with pure CCS where we could not deal with 
interrupt behavior, and we have achieved our goal. 

3.5. Prioritization and Deprioritization Operators. There are several other language constructs 
worth considering when dealing with priority. Of particular interest are the unary operators introduced 


it 



Table 3.4 

A relation whose symmetric closure is a prioritized weak bisimulation 


( 

Sys 


, Spec 

>. 

( 

(-4' 1 1 


, Spec' 

), 

( 

(-4| I- 

IB) \ {i} 

, ok. Spec 

>, 

( 

(r.ok. 

l.A\i.B)\{i} 

, ok. Spec 

>, 

( 

(ok A. 

A\i.B)\{i} 

, ok. Spec 

>, 

< 

(*•■4 1 ;< 

■B) \ {£} 

, Spec 

>, 

< 

(-4'li 

■i-B) \ {i} 

, ok. Spec' 

>, 

( 

(r.ok. 

\.A'\i.B) \ {£} 

, ok. Spec 

), 

( 

( ok.i . 

-4' | i.B) \ {*} 

, ok.Spec ; 

), 

( 

(W 1 

i.B) \ {i} 

, Spec' 

) 


by Cleaveland and Hennessy in [25] which correspond to the piioritization of a visible unprioritized action, 
written \a for a £ r, and to the deprioritization of a visible prioritized action, written [a for a ^ r. The 
operational semantics of these operators is formally defined in Table 3.5. This introduction requires that 
(i) every prioritized port a corresponds one-to-one to an unprioritized port a, (ii) every relabeling / satisfies 
f{a) = /(a) , and (iii) every restriction set L obeys the property u a € L if and only if a € L.” Intuitively, 
P\a prioritizes all a actions which P can perform, while P[a deprioritizes all a actions in which P can 
engage, provided the newlj deprioritized action is also available 30 P. Note that the notion of priority is still 
static and not dynamic since the prioritization and deprioritizat: on operators are static operators. Thus, the 
change of priority values affects a process in its whole and is no; limited to its initial behavior. 

Table 3.5 

Semantics for the prioritization and the dep Horitization operator 


Priol 



ziup) 


Prio2 



EX(P) 


Prio3 



7 ^ « 


Deprio1 p7~ JL, p< 1 z * Z{P) 
P[a — > P ; [a 


P -A* P* 

Deprio2 r 

P[a-^ P'[a 


UP) 


p -2+ P‘ 

Deprio3 7 a 

P[a-^P'[a 


Including prioritization and deprioritization operators with CCS sg does not conflict with the notion of 
prioritized strong bisimulation; especially since it is composition d with respect to these operators [25]. The 
axiomatization of prioritized strong bisimulation for finite processes can also be extended to cover the new 
operators. The necessary additional axioms are presented in Table 3.6. Moreover, the presence of the 
prioritization and the deprioritization operator allows us to formally justify the design decision that only 
prioritized internal actions have pre-emptive power over unprioritized actions. For this purpose assume that 
(i) pre-emption is not encoded in the side conditions of the operational rules but, equivalently, in the notion 
of bisimulation [25] and that (iii) the naive view of pre-empticn gives all prioritized actions pre-emptive 
power. Thus, a naive bisimulation demands the following coi dition for equivalent processes P~„Q and 
unprioritized actions o € .4: (P P> A /3£. P -A) implies (3<?'. Q Q< A Q -=^ A P' ~ n Q'), and 
vice versa. The condition for prioritized actions can be adopted trom standard strong bisimulation. It turns 
out that is not a congruence; e.g., a.O + 5.0 6.0 but (a.O I- 6.0) \ {6} (6.0) \ {6} since the former 

process can engage in an o-transition while the latter is deadlockei. Thus, the question arises how the largest 
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Table 3.6 

Axioms for the prioritization and the deprioritization operator 


(Priol) 

0|a 

= 0 


(Prio 2 ) 

(a.t)\a 

= a.(£[a) 


(Prio 3 ) 


= r(<r«) 

7 ^ a 

(Prio 4 ) 

( t + r.u + b.v) \a 

— (t + r.u)\a 4 - fc.(i;[a) 


(Prio 5 ) 

(t 4- 6.u 4- 7.?;) [a 

= (t 4 - S.u) fa 4 - (t 4 - 7'.n) fa 

(5, 7 € A \ {r} 

(Depriol) 

0[a 

= 0 


(Deprio 2 ) 

(a.t) [a 

= a.(£[a) 


(Deprio 3 ) 


= 7 -(*ra) 

7 ^ S 

(Deprio 4 ) 

(t 4- r.u 4- b.v) [a 

= {t 4 - i.w)[a 4 - 6.(u[a) 


(DeprioS) 

( t 4- S.u 4- 7.1;) [a 

= (£ 4 - S. u) [a 4- (t 4- J.v) [a 

(5, 7 £ A \ {r} 


congruence ~+ contained in ~ n can be characterized; it turns out that coincides with prioritized strong 
congruence as defined above (see [25] for a formal treatment). This shows that in the presence of pre-emption 
only prioritized internal actions may pre-empt unprioritized actions. However, this algebraic result is only 
correct if we include the deprioritization operator in our language. A noil-trivial characterization of with 
respect to our original language is still an open problem. 

For the language extended by the prioritization and the deprioritization operator, an observational 
congruence together with an axiomatic characterization with respect to finite processes has been developed 
in [58, 59], which is briefly reviewed here. For this purpose, we need to refine the prioritized weak transition 
relation. First, we re-define to =>=df=> o -^4 o i.e., a weak unprioritized a-transition consists 
of an a-transition that is preceded and trailed by prioritized internal transitions only. Moreover, we replace 
3L(P) by 2L(P) U2 Z(P) in the definition of since one has to take into account that unprioritized actions 
may turn to prioritized ones if they are in the scope of the prioritization operator. Finally, we write P=> P' 
whenever P=^P' and P ^ P r . Consequently, visible weak unprioritized transitions only abstract from 
prioritized internal actions. The reason for this restriction is that, otherwise, prioritized weak bisimulation 
would not be compositional with respect to the prioritization and the deprioritization operator. In contrast, 
the original prioritized weak transition relation allows an a-transition to be preceded by any sequence of r- 
and T-transitions (satisfying a condition on initial action sets) and only to be trailed by r- transitions. 

The notions of prioritized weak bisimulation and prioritized observational congruence are defined in [58, 
59] as follows, where P stands for 3P' . P P l and P'-^4. 

Definition 3.17. A symmetric relation TZ C V x V is a modified prioritized weak bisimulation if for 
all (P, Q) € TZ and 7 € A \ {t} the following conditions hold. 

1. P if implies Q JJ.. 

2. P — U P' implies 3Q'.Q => Q* , and (P, Q*) € TZ. 

3. P P' implies 3 Q'. Q =► Q ‘ , L = 1 T(P) U 2T(P), and <P', Q') € TZ. 

We write P« pd Q if there exists a modified prioritized weak bisimulation TZ. such that (P, Q) 6 7 Z. 
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Table 3.7 

Axioms for the r-laws 


(rl) 

7.(1.# + t) 

= I-* 

1 € {r,r} 

( 12 ) 

T.t 

— T.t A- t 


(13) 

7 .{t + t.u) 

— l-(t + t.u) A- y.u 


(rl) 

t + T.(U + T.V) 

= t + T.(u A- T.v) A- T.V 

(-/ t£l\V 



Table 3.8 



Axiomatization of C, (Axioms I ) 



(•Cl) a.t Ci a.u (iC2) 0Cj7.f 7 € A \ {r} (iC3) a.t.Q ,0 


Dehni I ION 3.18. We define P fts pd Q if for all 7 € -4\ {r} '.he following conditions and their symmetric 
counterparts hold. 

1- P —4 P 1 implies 3 Q‘ Q =4 Q' and P'« pd Q' . 

2. P -4 P' implies 3Q 1 -Q==>Q', where L = TL{P) U 2£(P), and P' w pd (?' . 

The observational congruence « p; , possesses nice algebraic properties for our language extended by the 
prioritization and the deprioritization operator, including a largest congruence result similar to Theorem 3.1 1 
and a sound and complete axiomatization with respect to finite processes. For the latter, the axiomatization 
for prioritized strong bisimulation is augmented with suitable 1 -laws as shown in Table 3.7 (cf. [52]). The 
relation C i5 occurring in the side condition of Axiom (rl), is the pre-congruence on finite processes generated 
from the axioms presented in Table 3.8 using the laws of inequational reasoning; we write h , t II; u if t can 
be related to u by Axioms (iCl), (iC2), and (iC3). Intuitively, 1/ t C; u holds, whenever (i) r € Tft) if and 
only if r e T(u) and (ii) $(<) C TL{u). 

Finally, it should l>c noted that applications underline the importance of the additional freedom of ab- 
stracting from internal transitions gained by leaving out the pric ritization and the deprioritization operator. 
I 11 fact, the observational congruence wj, d does not relate the piocesses Sys and Spec of our back-and-forth 
example. This is due to the presence of the unprioritized internal action in Sys. 


3.6. Extension to Multi-level Priority Schemes. We now remark on the extension of CCS 5g to a 
multi-level priority-scheme. To do so, we first alter the definition of prioritized initial action sets to capture 
the priority-level of actions; i.e., we define sets I k (P) for proces:es P with respect to priority value k. This 
can be done as shown in Table 3.9 


Using this definition of initial action sets and the convention r £ \ <k (P) if fll < k. r :l 6 l'(P) the 
operational semantics can be re-stated as follows, as exemplary shown for Rule (Com3). 


Com3 


P p' Q 
P\Q I ^P'\Q' 


T$l< k {P\Q) 


Observe that the sets I*(P) may contain actions in which P cannot initially engage, since their definition does 
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Table 3.9 

Potential initial action sets for CCS 5 * 


I k (or.l.P) = { a:l\l = k } I k (P[f]) 

l k (/ix.P) = l k (P[fix.P/x]) I k (P + Q) 

l k (P \ L) = l k (P)\(LUL) I*(P|Q) 


{f(a:l)\a-.lel k (P)} 

l k (P)Ul k (Q) 

l k (P) U l k (Q) U {r-.k | I fc (P) DI* (Q) / 0} 


not consider pre-emption. In fact, the set of actions with priority value k in which P can indeed initially 
engage is given by X k (P) = {a:k € I fc (P)|r:/ £ l'(P) for all l < A;}. However, it is easy to show that 
r £ I <k (P) if and only if t $ X <k (P) [50]. Thus, the side condition of Rule (Com3) captures our intuition 
that P | Q cannot engage in a more urgent internal transition. 

Table 3.10 

Prioritized weak transition relatio7i 


^ =df P ^ P' if P -^4 P' and TL'(P) C L for all / < k 

(:k /r r:/ | / / m u Q:k (:k a:k <:0 

=f =df({ T » !*<*})• 


The re-development of the bisimulation-based semantic theory proceeds along the lines of the above 
sections and does not raise any new semantic issues. For example, the notion of prioritized observational 
congruence is defined as follows [50], where (i) the prioritized weak transition relation is given by the rules 
in Table 3.10, (ii) XL k (P) —^X k (P) \ {r:/r}, (iii) is the adaption of prioritized weak bisimulation to a 
multi-level priority-scheme, (iv) 1(P) = df \J{l k (P) \ k e A'}, and (v) XL <k (P) - (if l <k (P) \ {r:l\l < k}. 

Definition 3.19. Processes P and Q are prioritized observational congruent if for all actions a:k the 
following conditions and their symmetric counterpar'ts hold. 

L l(P) D 1(Q) 

2. P -^4 P f implies where L = TL <k {P ), and P l 

Details of the extension of CCS 56 to a multi-level priorhy-scheme can ho found in [50]. 

3.7. Concluding Remarks and Related Work. We conclude by first commenting on the design 
decision that priority values are considered to be part of ports, which implies that only complementary 
actions having the same priority can synchronize. Lifting this design decision by allowing a:k and «:/, 
where k / /, to synchronize leads to the question of which priority value to assign to the resulting r. One 
can imagine several obvious choices for this function, e.g., maximum or minimum. In addition, [33, 35] 
recommend using the sum of the priority values of the actions involved. Unfortunately, while a specific 
function may be suitable for certain examples, it is difficult to motivate for general applications. In the next 
section, we will see that such a function is superfluous when dealing with local pre-emption . 

Regarding related work, Gerber and Lee have developed a real-time process algebra, the Calculus of 
Communicating Shared Resouixes (CCSR) [32], that explicitly takes into account the availability of system 
resources. Semantically, synchronizations between processes are modeled in an interleaving fashion using 


15 



instantaneous transitions, whereas the access of resources is tn ly concurrent and consumes time. In CCSR 
a priority structure may be defined over resources in order to indicate their importance; e.g., it can be used 
to ensure that deadlines are met. The underlying concept of priority is similar to that of CCS sg in that 
priorities aie static and pre-emption is global. In [33] a resoun e-based prioritized (strong) bisimulation for 
CCSR together with a congruence result and axiomatizations with respect to several classes of processes [20] 
are given. 

Prasad has also extended his Calculus of Broadcasting Systems (CBS) [64] for dealing with a notion 
of static priority [65]. He refers to the priority calculus as PCBS. For PCBS nice semantic theories based 
on Milner’s strong and weak bisimulation have been developed along with congruence proofs. Remarkably, 
these theories do not suffer from the technical subtleties which have been encountered for CCS sg , although 
the concept of pre-emption is basically the same. The reasoi is that PCBS uses a much simpler model 
for communication that is based on the principle of broadcasting. In this setting, priority values are only 
attached to output actions, which cannot be restricted or hidden as in traditional process algebras. Finally, 
it should be mentioned that PCBS contains an operator, called translate , which allows for the prioritization 
and the deprioritization of actions. 

4. Static Priority and Local Pre-emption. This section provides a new semantics for our language, 
subsequently referred to as CCS sl (CCS with static priority and local pre-emption), which is distinguished 
from the one developed in the previous section by the design decision that it only allows actions to pre-empt 
others at the same location and therefore captures a notion of localized precedence. This constraint reflects 
an essential intuition about distributed systems, namely, that he execution of a process on one processor 
should not affect the behavior of a process on another processor unless the designer explicitly builds an 
interaction, e.g., a synchronization, between them. 



Fig. 4.1. Example system 


The following example demonstrates the necessity to consider locations when reasoning about priority 
within distributed systems. The example system consists of an application that manipulates data from two 
memory benches (cf. Figure 4.1). In order to improve the efficiency in the computer system, each bench, 
Benchl and Bench2, is connected to a direct-memory-access (DMA) controller. To overcome the low speed of 
most memory modules, the application Appl works alternately with each memory bench. We model Appl in 
CCS 5 by Appl = f et chi. fetch2 . Appl. Each memory bench, Benchl and Bench2, is continuously able to serve 
the application or to allow the external DMA controller to access the memory via the channel dma. How r ever, 
if a memory bench has to decide betw^een both activities, then it chooses the former since the progress of the 
application is considered more important. Consequently, we define Benchl = f fetch 1 .Benchl + dma.Benchl 


16 



and Bench2 = f etch2 .Bench2 + dma.Bench2. The overall system Sys is given by 

/Inf 

Sys = (Appl [ Benchl | Bench2) \ { fetch! , f etch2 } . 

Since the application uses the memory cells alternately, the DMA is expected to be allowed to access the 
memory bench which is currently not serving the application. However, using the approach to priority 
involving global pre-emption presented in Section 3 all dma-transitions in the labeled transition system of 
Sys are pre-empted since the application can indefinitely engage in a prioritized communication, i.e., direct- 
memory- access is never granted. 

Generally speaking, one would expect that priorities at different sites of a distributed system do not 
influence the behavior of each other, i.e., priorities at different sites are supposed to be incomparable. 
The semantics given in Section 3 does not permit this distinction to be made; the net effect is that some 
computations that one would expect to find in a distributed system are improperly suppressed. It has been 
proposed to remedy this shortcoming regarding distributed systems by introducing local pre-emption [23, 27]. 

The remainder of this section is organized as follows. The next section introduces a notion of loca- 
tions that is used in Section 4.2 for the definition of the operational semantics of CCS sl w T ith a two-level 
priority-scheme. Sections 4.3 and 4.4 develop the semantic theories based on strong and w^eak bisimula- 
tion, respectively, wdiile Section 4.5 re-considers the direct-memory- access example presented above. The 
consequences of lifting some design decisions in CCS sl are discussed in Section 4.6. After extending CCS sl 
to a multi-level priority-scheme in Section 4.7 and presenting another approach to priority taken from [23] 
in Section 4.8, a formal comparison of the two approaches is given in Section 4.9. Finally, Section 4.10 
concludes with some additional remarks and comments on related w r ork. 

4.1. Locations. We now T introduce the notion of location , which will be used in the next section in the 
operational semantics for CCS sl as a basis for deciding when one transition pre-empts another. Intuitively, a 
location represents the “address(es)” of subterm(s) inside a larger term; when a system performs an action, 
CCS si semantics wfill also note the location of the subterm(s) that “generate (s)” this action. Observe that 
because of the potential for synchronization more than one subterm may be involved in an action. The 
account of locations closely follows that of [27, 56]. 

Formally, let *4 a ddr — df /,r} be the address alphabet , and let • be a special symbol not in A a( i ( i r - 

Then, Addr = ( ]f {•.s | s 6 represents the set of (process) addresses ranged over by r, w. Intuitively, an 

element of Addr represents the address of a subterm, with • denoting the current term, l ( r ) representing the 
left (right ) subterm of + , and L ( R ) the left (right) subterm of | . For example, in the process (n.O | 6.0) + c.O, 
the address of u.O is • LI , of 6.0 is • Rl , and of c.O is If •s i and are addresses, then we write 
•si • •s-i == •si.S ‘2 to represent address concatenation (where s\s >2 represents the usual concatenation of 
elements in *4* ddr ). Further, if V C Addr and £ € *4 a ddr> then we w r rite V • £ for {u * C \v G V}. Occasionally, 
we omit • from addresses. 

As mentioned in the previous section, we w r ant to adopt the view that processes at different sides of the 
parallel composition operator are logically not necessarily physically executed on different processors. 
Thus, priorities on different sides of the parallel composition operator are distributed and, therefore, should 
be incomparable. However, priorities on different sides of the summation operator should be comparable 
since argument processes of summation are logically scheduled on the same processor. This intuition is 
formalized in the following comparability relation on addresses w r hich is adapted from [35]. 
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Table 4.1 

Distributed prioritized initial action sets for CCS si 


l,n(hX.P) 

= l m (P[flX.P/x}) 

I.(a.P) = {a} 

Zml(P + Q) 

= —m (P) 

Zr,r (P + Q) = Zn(Q) 

l,n(P[f}) 

= {/(«) 1 «€l m (F)} 

Z n .{P\L) = l m (P)\(LUL) 

ZmL(P\Q) 

= Zrn(P) 

Z nR (P\Q) = l n (Q) 

L.n R)(P\Q) 

= {r\l m (P)ni n (Q)±<l>) 



Definition 4.1 (Comparability Relation). The comparability relation txi on addresses is the smallest 
reflexive and symmetric subset of Addr x Addr such that for ail v,w 6 Addr: 

1. (v ■ l,u> ■ r) G cxi, and 

2. (v, w) G txi implies (v ■ (, w ■ Q € cxi for < G A a ddr- 

In the sequel we write v \x w instead of (v,w) G m. If v Addr then we use [w] to denote the set 
{u? € Addr | v ix w}. Observe that the comparability relation is not transitive, e.g., we have LI tx r and 
r cxi Rl , but LI Rl, since L yh R. 

We may now define the set Coc of (transition) locations as Addr U (Addr x Addr). Intuitively, a 
transition location records the addresses of the components in a term that participate in the execution of 
a given action. In our language, transitions are performed by single processes or pairs of processes (in the 
case of a synchronization). We define (v. w) • < = df (v ■ C, w ■ Q ind [(u, «,)] = (jf [w] U [in] where v , w G Addr 
and C € -4, u j,j r . We use m, //. o, . . . to range over Coc in what fo lows. 


4.2. Operational Semantics. The operational semantics of a CCS sl process P is given by a labeled 
transition system. The transition relation — iCPx ( Coc x A) x V with respect to unprioritized actions is 
defined in Table 4.2 using Plotkin-style operational rules [63] whereas for prioritized actions the same rules 
as for CCS 5 * apply (see Table 3.2). We write P P’ if ( P,{m,a),P ') G — > and say that P may engage 
in action ct offered from location in and thereafter behave like process P 1 . Note that prioritized transitions 
do not need to be labeled with locations since they can never b< pre-empted. 

The presentation of the operational rules requires distributed prioritized initial action sets, which are 
defined as the least sets satisfying the equations in Table 4.1. Intuitively, 2 m (P) denotes the set of all 
prioritized initial actions of P from location in. Note that these sets are either empty or contain exactly 
one initial action. I m (P) = 0 means that either in is not a location of P or P is incapable of performing 
a prioritized action at location m. Additionally, let us denote ti e set (J{I m (P) |m € M} of all distributed 
prioritized initial actions of P from locations M C Coc by X M (P) and the set l Coc (P) of all distributed 
prioritized initial actions of P by 1(P). We also define analogue s 3ts restricted to visible actions: JI M (P) =df 
1a, ( n \ {r} and LL(P) =df 2{P) \ {r}, respectively. 

The side conditions of the operational rules guarantee that a process does not perform an unprioritized 
action if it can engage in a prioritized synchronization or internal computation, i.e., a r-transition, from a 
comparable location. In contrast to the global notion of pre-emotion defined in Section 3, the local notion 
here is much weaker since H [m] (P) C TL(P) for all m G Car and P G V. In other words, local pre-emption 
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Table 4.2 

Operational semantics for CCS sl 


Act 


Rel 


Res 


Rec 


p m,o^ pi 
p m,Q^ pi 

P[nx.P/x 3 ^ P' 
flX.P P' 


p 711,11. pt 

Suml t r £ 1(g) 

P + g^^P' -^-v ^ 


Sum 2 


a £ L U L Coml 


Q^Q 


pf^Su),rm p ) 


tn,<\\ ryi 


P\Q p/\Q 


2 |m] (P)niW) = 0 


Q 1L<±> O' 

Com 2 --- H bl] (Q)nlL(P) = 0 


Com3 


pm^p' qilo+q' £ Im] (P)n£(Q) = 0A 


P\Q l m - L >»- R b r > P'\Q' K[ n \(Q) n mn = 0 


does not pre-empt as many transitions as global pre-emption does. The difference between CCS sl and CCS sg 
semantics arises by the side conditions of the rules for parallel composition with respect to unprioritized 
transitions. Since locations on different sides of a parallel operator are incomparable, r ' s arising from a 
location of P (Q) cannot pre-empt the execution of a transition, even an unprioritized one, of Q (P). Only 
if P (Q) engages in a prioritized synchronization with Q (P) can unprioritized actions from a comparable 
location of P ( Q ) be pre-empted. 

4.3. Semantic Theory Based on Strong Bisimulation. Just as in Section 3, we present an equiv- 
alence relation for CCS sl processes that is based on bisimulation [61]. Our aim is to characterize the largest 
congruence contained in the “naive” adaptation of strong bisimulation [52] to our framework obtained by 
ignoring location information. 

Definition 4.2 (Naive Distributed Prioritized Strong Bisimulation). A symmetric relation R C V x V 
is called naive distributed prioritized strong bisimulation if for every (P, Q) € R and 7 € A the following 
condition holds. 


P P' implies 3Q'.Q Q' and <P\ Q') <E U . 

We unite P ~ Q if there exists a naive distributed prioritized strong bisimulation R such that (P, Q) € R- 

Although ~ is an equivalence, it is unfortunately - in contrast to the situation in Section 3.2 - not 
a congruence. The lack of compositionality is demonstrated by the following example, which embod- 
ies the traditional view that “ parallelism = nondeterminism” We have a.6.0 + b.a.O ~ a.0|6.0 but 
(a.6. 0 + 6.a.0) | 6.0 £ (a.O | 6.0) | 6.0, since the latter process can perform an a-transition while the corre- 
sponding a-transition of the former is pre-empted because the right process in the summation can engage 
in a prioritized communication. The above observation is not surprising since the distribution of processes 
influences the pre-emption of transitions and, consequently, the bisimulation. However, we know by Propo- 
sition 3.6 that ~ includes a largest congruence for CCS sl . 
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Table 4.3 

Axiomatizaiion of csr 1 (Axions E) 


(i A1 ) 

t © u = U 0 t 

(iA2) 

t® (u® 

*v) = (t 

©w)0w 

(■A3) 

td)t = t 


(*A4) 

*©0 = 

t 


(E) 

t = ©i E> 

lij-tij and w = ©<. 

fifcl-Uk 

implies 

t\u ~ 



®, Ejhu 

.{tij \ u) + {t 

'■(tij 1 w*i) 

7 ij — 

lij T fikl 

€.4} 



+ J2k Jli {l 

.■(tij | ll/cl) | 

7 ij — fifth 

lij > fifd 

e A}) © 


©Jt El(&kt 

■(C u «) + E, E0 

'■(tij\u k j) 

7 ij = fifd , 

7 i j , fikl 

€.4} 



+ EiE,-{i 

■{tij | «*/) 

7 ij — fifth 

lij , fikl 

€ A}) 

(iRes4) 

(t 0 a) \ L 

= (t\L)® (u \ L ) 

(iRel3; 

(t®u)[f\ = t[f 

1 ® «[/] 


4.3.1. Distributed Prioritized Strong Bisimulation. In the remainder, we develop a characteri- 
zation of . To do so we need to take local pre-emption into account. 

Definition 4.3. A symmetric relation 7Z C V x V is a distributed prioritized strong bisimulation if 
for every { P , Q) £ 7v, a E A, a € A, and m E Coe the following conditions hold. 

L P P' implies 3Q'. Q -A Q‘ and <P' , Q') € K. 

2, pm^p' imp u es 3Q’pi.Q^Q',Z [n] (Q)CZ [m] (P) and (P\Q') € K. 

We write P Q if (P, Q) £ 1Z for some distributed prioritized strong bisimulation 1Z. 

Intuitively, the distributed prioritized initial action set of a proce is with respect to some location is a measure 
of the pre-emptive power of the process relative to that location. Thus, the second condition of Definition 4.3 
states that an unprioritized action a from some location m of tie process P must be matched by the same 
action from some location n of Q and that the pre-emptive pow?r of Q relative to n is at most as strong as 
the pre-emptive power of P relative to m. The following theorem is the main result of this section. 

Theorem 4.4. is the largest congruence contained in zt. 

We refer for the proof to [50]. The context needed in the largest congruence proof is similar to the one used 
in Section 3.3. 


4.3.2. Axiomatic Characterization. In this section we present an axiomatization of with respect 
to finite processes for which we introduce a new binary summation operator © to the process algebra CCS sl . 
This operator is called distributed summation and is needed for g ving an Expansion Axiom (cf. Axiom (E) in 
Table 4.3). Its operational semantics is defined below and differ: form the nondeterministic choice operator 
T in that a location from its left argument is never comparable to one from its right argument. 

t t f _ . t t* 


dSuml 


dSuml 


t 0 u 


t 0 u 


m L.o 




dSum2 


* / 
L > U 


dSum2 




t 0 U 


n/i,q 


* U ' 


It can easily be checked that is also compositional with respect to 0. 
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Table 4.4 

Axioms E (continued) 


(Dl) 

(t ® t') + (u ® «') = ((< ® t') + u') © ((« © «') + t') 

(1-/ tQit', h, «&«') 

(D2) 

(t 0 w) + a.v = (t -f a.v) 0 ( u -h a.v) 


del) 

t 0 a.u = t + a.u 

m 

(Ic2) 

(a.t 0 u) = ( a.t 0 m) 0 a.t 


(SI) 

(t 0 a.u) 0 (t ; 0 a.u') = (t 0 a.u 0 a.u') 0 ( t f 0 a.u f ) 

(S2) 

(t 0 a.u) 0 (u 0 a.v) = (t 0 a.u) (0 u 

ui 

X 

(S3) 

t 0 U = t 0 U 

(h, t=-,u) 


Now, we turn to the axiom system for distributed prioritized strong bisimulation. We write h# t — 
u if term t can be rewritten to u using the axioms in Tables 4.3 and 4.4 as well as Axioms (A1)-(A4), 
Axioms (Resl)- (Res4), Axioms (Rell)-(Rel3), and Axiom (P) from Table 3.3. Axioms (Icl), (Dl), (S2), 
and (S3) involve side conditions. Regarding Axiom (Icl), we introduce the unary predicate t| over processes 
(of the form Yljej 7 j-tj f° r some nonempty index set J) together with the following proof rules: (i) t ]a.t and 
(ii) \)t and t?iz implies \\(t. 0 u). Intuitively, 7 j-tj) if and only if 7 j G A for all j G J. The relation Cj is 

defined as in Section 3.5 (see Table 3.8). The axioms in Table 4.3 are basically those given in Table 3.3 and 
augmented with the corresponding axioms for the distributed summation operator. Moreover, the Expansion 
Axiom has been adapted for our algebra (cf. Axiom (E) where is the indexed version of 0, and (J) is the 
indexed version of 0). Note that parallelism in CCS sl cannot be resolved in nondeterminism by using the 
operator 4- only, since priorities on different sides of | are incomparable, but on different sides of + they 
are comparable. The introduction of the operator 0 solves this problem. The axioms in Table 4.4 show how 
we may “restructure” locations. They deal with the distributivity of the summation operators (Axioms (Dl) 
and (D2)), the interchangeability of the summation operators (Axioms (Icl) and (Ic2)), and the saturation 
of locations (Axioms (Si), (S2), and (S3)), respectively. The proof of the next theorem can be found in [27]. 

Theorem 4.5. Let t and u be finite processes. Then b e t = u if and only if t~ ] u. 

4.3.3. Operational Characterization. The following definition introduces an equivalence which 
characterizes ~ l as standard strong bisimulation [50]. It uses the notation P -%> P* for P,P' G P, a G A , 
and L C A \ {r} whenever 3m G Coe. P m,Q > P l and 2T[ tn ](P) C L. Note that these enriched transitions 
take local pre-emption potential into account, thereby avoiding the explicit annotation of transitions with 
locations. 

Definition 4.6. A symmetric relation 1Z C V x V is an alternative distributed prioritized strong 
bisimulation if for every (P, Q) G 1Z , a € A, a G A, and L C A \ {r} the following conditions hold. 

1. P-B+P* implies 3 Q'.Q-^ Q* and {P\Q f ) G K. 

2 . P P f implies 3Q f .Q-^Q f and (P f ,Q f ) G 7 Z. 

We write P~* Q if (P, Q) G 1Z for some alternative distributed prioritized strong bisimulation 7 Z. 

Similar as in Section 3.3.3 we obtain an operational characterization of our behavioral relation. 

Theorem 4.7 (Operational Characterization). = c^*. 
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4.4. Semantic Theory Based on Weak Bisimulation. As for CCS sg , we develop a coarser behav- 
ioral bisimulation-based congruence by abstracting from internal actions. We start off with the definition of 
a naive distributed prioritized weak bisimulation, which is an adaptation of observational equivalence [52]. 

Definition 4.8 (Naive Distributed Prioritized Weak Transition Relation). 

(*) 7 =df if 7 € {l,r}, and 7 - df 7 , otherwise (ii) ^=> x —df (-=4 U|J{ |m € £oc})* 

M =i> x = df =^ x o o (iv) 

In the following we write P =^> x P ' for 3 m G Coe, P =^ x P'. 

Definition 4.9 (Naive Distributed Prioritized Weak Bisimulation). A symmetric relation 7Z C V x V 
is a naive distributed prioritized weak bisimulation if for every ( P,Q ) G P and 7 G A the following condition 
holds . 

P -^4 P' tmp/ies 3Q\ Q =^> x Q' and (P\ Q') G H . 

We write P«* Q (P, Q) £ P /or some naive distributed prio dtized weak bisimulation P. 

It is fairly easy to see that ss x is not a congruence for CCS 1 . One coinpositionality defect arises with 
respect to parallel composition and is similar to the one mentioned for naive distributed prioritized strong 
bisimulation. Another defect, which is carried over from CCS, is concerned with the summation operators. 

4.4.1. Distributed Prioritized Weak Bisimulation. We devote the rest of this section to charac- 
terizing the largest congruence contained in the naive distributed prioritized weak bisimulation. To do so, 
we first re-define the weak transition relation. 

Definition 4.10 (Distributed Prioritized Weak Transition Relation). For L,A/ C A \ {r} we define 
the following notations. 

(i) t =df£, « =dfQ, T - df e, a = df a (ii) P^? P' if P P ; and Q L 

(in) => = d f (— =4 U (J{ \ rr i € Coc)Y (iv) => = ri/=^ o —=4 o 

(v) =f =df U U{ I m G Coc)Y (vi) P=? P l if 3 P".P=^P" ^ P' and 7L{P n ) C M. 

Intuitively, these definitions are designed to reflect constraints that a process environment must satisfy in 
order for the given transition to be enabled. Thus, P P' means that P can engage in action a at location 
m to P' provided that the environment does not offer a prioritized communication involving actions in L. If 
the environment were to offer such a communication, the result w ould be a r at a comparable location to m in 
P , which would pre-empt the a. In a similar vein, P => P ; holds if P can evolve to P* via a nonpre-emp table 
sequence of internal transitions, regardless of the environment’s behavior. These internal transitions should 
therefore involve either r, which can never be pre-empted, or r. in which case no prioritized actions should 
be enabled at the same location. Likewise, P =^=> P* means that, so long as the environment does not offer 
to synchronize with P using the prioritized actions in L, the process P may engage in a sequence of internal 
computation steps and become P'. Finally, the A/-parameter in => provides a measure of the pre-emptive 
impact that a process can have on its environment. From the definition, P =? P' is true if P can engage in 
some internal computation followed by a, so long as the environn ent refrains from synchronizations in L, and 
then some nonpre-emptable internal computation to arrive at P' In addition, the state at which a is enabled 
should only offer prioritized communications in M. Note that the definition of P==> P f is in accordance with 
our intuition that internal actions, and therefore their locations, are unobservable. Moreover, an environment 
of P is not influenced by internal actions performed by P since priorities arising from different sides of the 
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parallel composition operator are incomparable. Therefore, the parameter M is unnecessary in the definition 
of the relation =j> . Finally, for notational convenience => is interpreted as ==> . 

Definition 4.11 (Distributed Prioritized Weak Bisimulation). A symmetric relation 72 C V x V is a 
distributed prioritized weak bisimulation if for every (P,Q) E 72, a E -4, a E A, and rn E Coe the following 
conditions hold. 

1 . 3Q # ,Q".Q =^> Q" Q', Z(Q") C 2(P), and (?,(/) € 72. 

2. P P' implies 3 Q f . Q Q 9 and ( P\Q # ) € 72. 

5. P ^ P' implies 3Q', n. Q => Q' , L = 7L [m] (P), M = 2T(P), and <P\ Q') € P. 

We write P ~Q if (P,Q) E 72 /a;- some distributed prioritized weak bisimulation 72. 

Condition (1) of Definition 4.11 guarantees that distributed prioritized weak bisimulation is compositional 
with respect to parallel composition. Its necessity is best illustrated by the following example. The processes 

dof dcf* 

P — r.a.O and Q = a.O would be considered equivalent if Condition (1) were absent. However, the context 
C[A r ] d = X | (a. 0+6.0) distinguishes them. The following proposition is the CCS sl equivalent of Proposition 3.0. 

Proposition 4.12. The equivalence relation ss is a congruence with respect to prefixing , parallel 
composition , relabeling , and restriction. Moreover , ns characterized as the largest congruence contained 

in ~ x , «n the sub-algebra of CCS sl induced by these operators and recursion. 

4.4.2. Distributed Prioritized Observational Congruence. Analogue to Section 3, the summation 
fix presented in [52] is not sufficient in order to achieve a congruence relation. 

Definition 4.13. We define Pss 1 Q if for all a E A, a € A, and m E Coc the following conditions and 
their symmetric counterparts hold. 

L 1(P) D1(Q) 

2. P-^ P' implies 3Q'.Q =§* Q f and P'«Q\ 

3 pin^p, imp n es 3Q\ n .Q=> f Q f ,L =$ [m] (P),M = 2T(P), andP'^Q'. 

The following theorem can be proved by following the technique already presented in Section 3.3.2 (cf. [50]). 
Theorem 4.14. is the largest congruence contained in 

4.4.3. Operational Characterization. We now characterize distributed prioritized weak bisimula- 
tion as standard bisimulation over an appropriately defined transition relation. To begin with, we introduce 
a family of relations on processes, where M C A \ {r}, by defining P=^P’ if 3P”.P P" 

P' and 7L(P n ) C M . Moreover, we write P ==» P* whenever there exists some m E Coc such that P ==> P 9 . 

Definition 4.15. A symmetric relation 72 C V x V is an alternative distributed prioritized weak 
bisimulation if for every (P, Q) E 72, a E A, a E A, and L, M C A \ {r\ the following conditions hold. 

1. P P' implies 3Q'.Q=^Q’ and (P',Q') E 72. 

2. PJ^P’ implies 3Q'. Q ==> Q f and (P\ Q') E 72. 

3. P^P' implies 3Q'.Q=> f Q‘ and <P',Q') E 72. 

We write P Q if (P,Q) E 72 for some alternative distributed prioritized weak bisimulation 72. 

Theorem 4.16 (Operational Characterization). « = 

The interested reader can find the proof of this theorem in [50]. 
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4.5. Example. We now return to the direct-memory-acces s example system introduced in the beginning 
of Section 4. The CCS sl semantics of Sys, which corresponds tc our intuition regarding distributed systems, 
is given in Figure 4.2 where we abstract away the locations. 



Fig. 4.2. Semantics of the dm i-system 

As stated before, the application uses the two memory cell:; alternately. Thus, the DMA is expected to 
be allowed to access the free memory bench. Accordingly, the specification of the system can be formalized 
by Spec = dma.Spec. It is easy to see that the symmetric closure of 

{ (Spec, Sys}, (Spec, ( fetch2 .Appl | Benchl | Bench2) \ {fetchl, fetch2})} 

is a distributed prioritized weak bisirnulation. Therefore, Spec£;Sys as expected, i.e., the system Sys meets 
its specification Spec. 


4.6. Discussion on the Removal of Some Restricthe Design Decisions. Up to now we have 
restricted the number of priority levels in CCS sf to two and communication to complementary actions having 
the same priority. In this section we study the implications of the removal of these restrictions leading to a 
new version of CCS si , called CCS^, (CCS sl with a multi-level priority-scheme), that is formally defined in the 
next section. 

Allowing communication between unprioritized actions and complementary prioritized actions raises the 
question of whether the resulting internal action should be r c r r. When dealing with local pre-emption, 
this decision has no important consequences for sequential com nunicating processes, i.e., those in standard 
concurrent fornix [52]; however, it is of obvious importance for processes like (a.O | a.O) + h . 0 in which one has 
to decide if the ^-transition is enabled. One reasonable view is that a communication should be pre-empted 
whenever one communication partner is pre-empted, i.e., cannct engage in a communication. This implies 
that the minimal priority of the complementary actions ought to be assigned to the internal action. To 
reflect this in the operational semantics, one could replace Rules (Coml), (Com2), and (Com3) for parallel 
composition by the ones presented in Table 4.5 plus their symmetric versions. The side conditions involve 
sets H(P) that include all unprioritized visible actions in which P can initially engage. 

It turns out that the largest congruence results concerning distributed prioritized strong bisimulation 
and distributed prioritized observational congruence can be carried over to the new calculus; however, the 
new semantics has algebraic shortcomings, since parallel composition is not associative , as illustrated by 
the following example. Consider the process (6.0 + a.O) |(a.O T c.0) | c.0. When computing the semantics 
in a left-associative manner, the initial 6-transition is pre-ernp ;ed according to Rule (Coml) since a may 
potentially communicate with a. However, when first composing the second and third parallel components, 
the a-tiansition is pre-empted, and consequently the 6-transitiun is enabled by Rule (Coml). The reason 
for this problem is that transitions are pre-empted because the considered process can potentially engage 
in a higher prioritized communication from a comparable location. However, this potential communication 
cannot take place if the communication partner is itself pre-empted. The same problem also arises when 
extending CCS sl to multiple priority levels, even if communication is only allowed on complementary actions 
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Table 4.5 

Modified operational rules 


Coml 


p m,a. pt 

pjq ... nc ZwmnffiW) unm = « 


Com3a 


Com3b 


P' Q 


P\Q 




P' Q 


P\Q 


(m L,n R) , 


^P f \Q l 


^Q f 
^ P'\Q ' 


$ [ra] (P)n(2(g)u2z:(Q)) = 0A 

S I n ] (Q)n(S(P)u2T(P)) = 0 


2E [n] (Q)n(2(P)u2(P)) = 0 


of the same priority as can be observed by using an adaptation of the previous example: (6:2.0 + a: 1.0) | (a: 

1.0 + c:0.0) | c:0.0. 

One can imagine two approaches to fixing the problems with the first (and second) alteration to the 
theory. One is to change the operational semantics; in particular, the side conditions could be weakened 
so that an unprioritized transition is only pre-empted when a prioritized action from a comparable location 
can actually engage in a communication. This approach has not been investigated in the literature, yet. 
The second solution follows an approach developed in [23] for a different setting and involves the use of 
a syntax restriction on processes prohibiting output actions, i.e., actions in A, from occurring as initial 
actions of processes that are in the scope of +. Hence, all potential communication partners are also actual 
ones, and the standard side conditions for parallel composition are sufficient to encode the desired notion 
of pre-emption. It is important to mention that the proposed syntax restriction still allows one to specify 
many practically relevant examples within the calculus. Indeed, a similar restriction may be found in the 
programming language occam [41]. 

4.7. Extension to Multi-level Priority-schemes. For CCS^, we allow a multi-level priority-scheme 
and communication between complementary actions with potentially different priorities. As seen in the 
previous section, both of these relaxations yield a semantics for which parallel composition is not associative. 
However, we have also argued that this problem vanishes if the syntax is restricted such that output actions 
never get pre-empted. We adapt the syntax restriction proposed by Camilleri and Winskel [23], stating that 
initial actions in the scope of a comparable summation operator are input actions. Therefore, input and 
output actions are explicitly distinguished in CCS^ h where the internal action r is also treated as input 
action. In the following, we let a, 6 , ... range over the set A of input ports and a, 6 ,... over the set A 
of output ports. Moreover, we let 7 stand for the silent action r or an input action and let a range over 
A =df AuAujr}. Since the priority values of output actions need never be compared with other priority 
values in the restricted syntax, there are no priority values associated with output actions. The syntax of 
CCS^| is formally defined by the following BNF for P. 

I ::= 0 | x | 7: k.I | / + / | 70 / | I\I | /[/] \ I \L \ fix. I 
P ::= Q\x\a:k.P\I + I\PQ)P\P\P\ P[f } \ P\L \ fix.P 

Here, / is an injective , finite relabeling, L C All A is a restriction set, and x is a variable taken from a 
countable domain V. A relabeling satisfies the properties /(A) C A, /(A) C A, f(r) = r, and f(a) — f(a). 
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Thus, additionally to the requirements of a finite relabeling i:i CCS, relabelings in CCS^, may only map 
input ports to input ports and output ports to output ports. 5 ince actions attached with different priority 
values do not represent different ports here, relabelings and res riction sets do not deal with priority values. 
Thus, the priority value of a relabeled transition remains the sime, i.e., there is no implicit mechanism for 
prioritization or deprioritization (cf. Section 3.5). In the sequel, we write for the set of CCS^ t processes. 


Table 4.6 

Initial output action sets for CCS ^ 


JZ(fix.P) 

= T{P[nx.P/x}) 

IL(a.P) 

= W 

mp\Q) 

= 2T(P) Ull(Q) 

T{P € Q) 

= TL{P) U H{Q) 

Z(P[f}) 

= {/(«)|«€#(P)} 

T{P\L) 

= S(F)\(LUI) 


The semantics of CCS^, processes are again labeled trails tion systems whose transition relations are 
specified by operational rules. Since output transitions cannot get pre-empted they do also not need an 
associated priority value, and output transitions do not need t( take account of locations. We first present 
two auxiliary sets used when presenting the operational rules, i amely (i) initial output action sets S(P) of 
a process P and (ii) initial input action sets I^(P) of P with respect to a priority value k and a location m, 
which are defined to be the smallest sets satisfying the equations presented in Tables 4.6 and 4.7, respectively. 
For technical convenience we remove the complement of output actions in the definition of ^(-), and we use 
the following abbreviations: (i) l^ k (P) = df U{l',„(^)|m € M, l < *:}, (ii) fl^(P) = df I<*(P) \ {r}, 
(hi) I(P) = df I m G Coc, l G A'}, and (iv) H(P) = df I(P) \ {r}. 


Table: 4.7 

Initial input action sets for CCS^ 


I k m {»*-P) 

= I l(P[nx.P/x]) 


= {Tl k = l} 

I k m.,(P + Q) 

= I i(D 

l k m.L(P®Q) 

= £(P) 

I lr(P+Q) 

= l k n (Q) 

if Ir(p®Q) 

= if;w) 

lfnW]) 

= {/(t )|7 e lf n (P)} 

iIl(p\Q) 

= if;,(P)u{r|i^(P)n2z:(g) ^ 0} 

l k m (P\L) 

= lf;,(P)\(LuL) 

l nfi(P\Q) 

= ifi(Q) U {r 1 1* (Q) n H(P) ± 0} 


The operational rules for CCS^,, semantics are formally stated in Table 4.8 for output transitions and 
in Table 4.9 for input transitions. As expected, the rules for output transitions coincide with the ones for 
plain CCS [52] whereas the rules for input transitions take local pre-emption into account, thereby using 
location and priority value information in their side conditions. It is worth having a closer look at the side 
conditions of Rules (Suml) and (Sum2) which differ in principle from the corresponding ones of CCS sl . They 
guarantee that an initial 7 : /-transition of a process P is also pre-empted whenever there exists a higher 
prioritized initial 7 : ^-transition of P, i.e., if k < l. This additional kind of pre-emption reflects that output 
transitions can communicate with a complementary input transition regardless of its priority value, i.e., if 
more than one communication partner offering the matching in out transition is available from comparable 
locations, the one attached with the highest priority is taken. This kind of pre-emption requires relabelings 


26 



Table 4.8 

Operational semantics for CCS ^ wrt. output transitions 


Act 


Rel 


Rec 


a.P P 

p -A p ; 
p[/i ^ p'[/] 

Pf/xx.P/a;] -^4 
/ix.P -?4 P’ 


iSuml 


ISum2 


> a y p( 

PdiQ P' 

CjJbcy 

P © Q -4 Q' 


Coml 


Com 2 


P a ) P f 
P\Q^P'\Q 

oJCcr 

P | Q -4 P\Q' 


pt p a ^ pf 


Res 


P\L -4 P' \L 


a £ Ll> L 


Table 4.9 

Operational semantics for CCS 5 ^ wrt. input transitions 


Act 


iSuml 


r-k.P^bP 

p m n ky pt 


peg 


■Lrr-k 


*%P # 


iSum2 


Rel 


Rec 


Res 


QlhXd^Q' 

p © q ~q> 

p m^:ky pi 

p\f\ py] 

P[nx.P/x]^bP' 


P p t 


flX 


p mrr-ky pi 


p m,T.k. pi 

Suml r,7 $l <k {Q) 

P + Q p, > 


Q lltf-.ky Qt 

Sum2 -7 r. 7 ^ I <fr (P) 

P + g itimLy q> ' ^ v ' 

p rn,rky p> 

P | Q p> | q 

Q^bQ' 


Coml 


n<*(P)n2r(Q) = 


Com2 ,, , \fp(Q)PTL(P) = 

p | Q nJL2*> p | Qi 
p m ^ p' Q' 


Com3 


P | g p, | Q, 


n<*-(P)n2z:(g) = 0 


p^p' Q^Q' w<hl n n -, 


7 — 7 i L U L Com4 ,, , - I r <f (Q) n TL(P) = 0 

p \ L ZL2ik> p> \ l T p\Q2JLnk^ pi\Qi W vv; 


I Q’ 


to be restricted to injective ones as is pointed out in [23]. 

The behavioral relations defined for CCS st can be adapted to CCS^, in a straightforward fashion, as we 
demonstrate by the notion of distributed prioritized strong bisimulation. 

Definition 4.17. A symmetric relation 71 C V x V is a distributed prioritized strong bisimulation for 
CCS^| if for every (P, Q) G 71, a € A, 7 E A U {r}, k € AC and m € Coe , the following conditions hold. 

1. P -^4 P' implies 3Q f .Q CL> Q and (p\Q') € 71 , and 

2. P^bP' implies 3Q', l,n. Q Q', I^Q) C I^P), and (P' ,Q') £ TZ. 

We write P ~ m / Q «/ (F, Q) 6 R /or a distributed prioritized strong bisimulation 7 Z for CCS 
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Proposition 4.18. The relation ~ m/ is compositional with respect to all operators except summation. 

The proof can be done by using standard techniques [52] and, therefore, is omitted here. The reason for the 
compositionality lack with respect to summation is illustrated by the following example: a: 0.0 ~ m | a: 1.0 
holds, but a: 0.0 + r:0.0 ^ m | a: 1.0 + r:0.0 since the former process can engage in a transition labeled by 
action a wheieas the latter cannot. Although this defect can easily be repaired (note the analogy with weak 
bisimulation [52] ) we do not elaborate on this further since it i: not of importance here. 

4.8. Camilleri and Winskel’s Approach. Here, we briefly review Camilleri and Winskel’s approach 
to priority [23], which we refer to as CCS CW (CCS with priority due to Camilleri and Winskel). In contrast to 
the approaches considered so far, this process algebra with priority does not assign priority values to actions. 
Instead, there exists a special summation operator +) in CCS C ", called prioritized choice , which favors its 
left over its right argument. The syntax of CCS CW terms is given by the following BNF for P. 

I ::= 0 | x | 7 ./ | I +) I | / + 7 | 7 1 1 \ /[/] | I \ L \ px.I 

P ::= 0\x\a.P\I+)I\P+P\P\P\P[f]\p\L\(ix.P 

Here, the action 7, the injective, finite relabeling /, and the restriction set L satisfy the same restrictions as 
in the previous section. Again, closed and guarded terms determine the set V°" of CCS CW processes. Further, 
we introduce initial output and input action sets as displayed in Tables 4.10 and 4.11, respectively, and write 
I CW (P) for I CW (P) \ {r}. 


Table 4.10 

Initial output action sets for CCS CW 


2? cw (a.P) 

{«} 

^{pj.P) = 

^(P[,tx.P/x}) 

^(P\Q) = 

T' n (P)uT cw (Q) 

tf w (P + Q) = 

T cm (P)uW cm (Q) 

2H p[f ]) = 

{/(°) 1 a € 2T CW (P)} 

II 

f C >)\(LuI) 


Table 4 
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Initial input action sets for CCS CW 


I cw (7-P) 

{ 7 } 

l cw (px.P) = 

I cw (P[px.P/x]) 

I CW (P+) Q) = 

I CW (P)UI CW (Q) 

I CW (P b Q) = 

i cw (P)ui cw (g) 

I CW (P[/]) = 

{/(7)l7€l cw (P)} 

l cw (P\L) = 

I CW (P)\(PUI) 

I CW (P 

| Q) = P*(P) u I CW (Q) U {r 1 I cw ( 0)0^" 

(Q)^01 


The semantics of a CCS CW process is given by a labeled transition system whose transition relation gives 
rise to transitions of the form P - 1 P' ■ where M C A. ntuitively, process P can engage in an «- 
transition to P' whenever the environment does not offer communications on ports in M. Despite notational 
differences, this is the same underlying principle as for some iransition relations defined in the previous 
sections which are also parameterized by initial action sets. Nc te that a € A implies M = 0. The CCS CW 
transition relation is formally defined in Table 4.12, where /( A r ) stands for {/(m)|rn e A/}. Recall that 
the initial actions of P in P +) Q are given preference over the initial actions of Q. Also, in this approach a 
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prioritized r, i.e., an internal action in which the left argument of +) can initially engage, has pre-emptive 
power over unprioritized actions, i.e., actions in which the right argument of +) can initially engage. Thus, 
the prioritized choice operator +) of [23] corresponds to the summation operator + in CCS^. In [23] the 
operator + stands for nondeterministic choice where priorities arising from the left and the right argument 
are incomparable. This operator is matched by the distributed summation operator 0 in CCS^,. We further 
investigate the correspondence of these operators in the next section. 

Table 4.12 

Operational semantics for CCS CW 


Act 


I-™ n.P 4 P 


Res 


47 p 4 p‘ 


^: W ui, p \ L * pi \ L 


a $ L U L 


Suml 


147 P 4 P' 

47P+)Q4/>' 


Sum2 


4? Q A Q' 


p +) Q Q' 


r,Q^I cw (P) 


iSuml 


iSum2 


47 P 4 p' 
47 P + Q 4 P' 

4 Q 4 Q' 

4 W P + Q 4 Q' 


Coml 


Com2 


_CW 

M 


^ p4p ' Mn r W ). 


P | Q 4 P' | Q 

4 W Qj±W_ 

4? P\Q^P\Q' 


Afnx cw (P) = 0 


Rel 


47 p 4 P' 


i_cw 

r /(M) 


P[}\ / ^ ) P'[/] 


Com3 


47 p 4 p' 4 w q 4 <7 

47P|Q4p'|g' 


Mn2f*(Q) = 0 


Rec 


h C * P\l_LX.P/x\ A P' 
b c A 7 /iJT.P A P' 


Com4 


h^ w PAP' hff Q A Q' 

P\Q AP'|Q' 


NnJT w (P) = 0 


Camilleri and Winskel have also developed a bisimulation-based semantic theory for CCS CW . Their notion 
of strong bisimulation for CCS CW , as defined below, is shown to be a congruence [23]. 

Definition 4.19. A symmetric relation 7Z C V x V is a distributed prioritized strong bisimulation for 
CCS CW if for every (P, Q) £ 7v, a G A, and M C A the following condition holds: 

\-fi P4P' implies 3 Q\N. Q A Q\ N C M, and <P',Q') € 7v . 

We wh£e P~ CVV Q if (P,Q) € 7v /or some distributed prioritized strong bisimulation 7Z for CCS CW . 

4.9. Relating Both Priority Approaches. In this section we show that CCS^j and CCS CW are closely 
related by providing an embedding of CCS CW in CCS^,. For this purposes we define Jsf { 0 , 1}* and the 
strict order < on priority values to be the lexicographical order on J\f , where 1 is less than 0. 

We now introduce the translation function £(•) : P cw — > F^i by defining £ (F ) (P), which maps 

CCS CW terms to CCS^, terms. The functions f*(P), for k G A r , are inductively defined over the structure 
of CCS CW processes as shown in Table 4.13. We note that the translation function is not surjective , e.g., 
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Table 4.13 
Translation function 


£*( 0 ) 

=df 

0 

e(p+Q) = df 

e(x) 

=df 

X 

e(p+)Q) =df 

?*(7 -P) 

=df 

T-k-C(P) 

t k {P\Q) =df 

e(a.P) 

=df 

d.c(P) 



$*(**) ©•;*«?) 

?(P\L) 

=df Z k (P)\L 

e° (P)+eHQ) 

S k (P[f}) 

=df e(p)[f] 

z k (p)\e(Q ) 

Z k (»x-P) 

=df lix.f k (P) 


consider the process (a : 0.0 + b : 2.0) + c : 1.0 on which no CCS CW process is mapped. This example also shows 
that the notion of compositionality in CCS™ is more restrictive than the one in CCS^„ since a comparable 
summation can only be extended by summands which have a higher or a lower priority than the already 
considered summands. The following theorem, which has been proved in [50], makes the semantic relationship 
between a CCS CW process P and its embedding f(P) precise. 

Theorem 4.20. Let P,Q € V cw . Then P~ CW Q if and onlg if f(P) ~ m/ f(Q). 

As a consequence, distributed prioritized strong bisimulation foi CCS^, is also compositional with respect to 
summation in the sub-calculus of CCS^, induced by CCS CW . 

4.10. Concluding Remarks and Related Work. The consideration of a local concept of pre- 
emption is also made by Hansson and Orava in [35], where Hoare’s Communicating Sequential Processes 
(CSP) [40] is extended with priority by assigning natural numbers to actions. As for CCS 5 ', they equipped 
their operational semantics with a notion of location and introd reed a sensitivity to locations when defining 
pre-emption. Indeed, their work served as an inspiration for CCS sl . However, the authors only conjecture 
that their version of strong bisimulation is a congruence, and they provide neither an axiomatization for 
their behavioral relation nor a theory for observational congruence. One may also criticize their semantics 
as not truly reflecting distributed computation. In particular, despite having a local pre-emptive semantics 
they compute a global priority for synchronizations. 

After stressing the strong similarity of CCS 5 ' to the process algebra CCS™ in the previous section we 
focus on the algebraic results established in these frameworks. In [23, 44] the transition relation is directly 
annotated with pre-emption potentials. By plugging this relation into the definition of standard strong 
bisimulation one immediately obtains a congruence. In contrast [27] starts off by defining naive distributed 
pi ioritized strong bisimulation using the naive transition relation and considers the pre-emption potential 
subsequently (by introducing the distributed prioritized initial ;,ction set condition). Then it is shown that 
the resulting congruence is the largest congruence in the naive equivalence. Similarly, Jensen [44] defines a 
naive distributed prioritized weak bisimulation based on the abovementioned annotated transition relation. 
His naive weak transition relation corresponds to the distributed prioritized weak transition relation in CCS S| 
if the parameter M is dropped. Because of the difference in the naive transition relations our abstraction 
result is somewhat stronger than Jensen’s, although the observational congruences appear to coincide. 

One may wonder about the relationship between CCS 5 ' and CCS sg , i.e., the static priority global pre- 
emption language in Section 3. If in CCS sl the distributed summation operator is left out and pre-emption 
is globalized by defining [m] = c if Coc for all m € Coc, the operat onal semantics and the behavioral relations 
reduce to the corresponding notions presented in Section 3. 
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Like Camilleri and Winskel, Barrett [7] devises a semantics of Occam’s priority mechanism that is ad- 
ditionally concerned with fairness aspects. His semantic framework is based on a structural operational 
semantics augmented with ready-guard sets which model possible inputs from the environment. Intuitively, 
these sets characterize the nature of the contexts in which a transition is possible. Thus, they correspond to 
the action sets with which the CCS sl and the CCS CW transition relations are parameterized. However, Barrett 
is not concerned with investigating behavioral relations but focuses on implementing Occam’s PRIALT and 
PRIPAR constructs on the transputer platform. 

In addition to Hansson and Orava, other researchers have also extended CSP [40] by a concept of static 
priority. Inspired by the notion of priority in ADA [47], Fidge [31] has introduced new versions of the 
operators for external choice, parallel composition by interleaving, and parallel composition by intersection. 
These favor their left-hand operands similar to the operators investigated by Jensen [44]. The developed 
semantic theory in [31] is based on failure semantics which is made sensitive for local pre-emption. For this 
purpose, traces are augmented with a preference function which identifies the priority relation on the initial 
action sets of a given process. A related approach has been presented by Lowe [49]. It differs from [31] in 
that the underlying algebra is a timed version of CSP [29]. Additionally, Lowe aims at obtaining a fully 
deterministic language by making use of a similar notion of priority as the one proposed by Fidge. 

Finally, we remark on the notion of strong and weak bisimulations for CCS sl . Since the semantic theory 
reflects local pre-emption, locations are implicitly occurring in our semantic equivalences. However, in 
contrast to the work on location equivalences in [18, 24, 57] we do not consider locations explicitly in our 
relations. Our objective is not to observe locations but to capture local pre-emption. 

5. Dynamic Priority and Global Pre-emption. This section develops a theory in which priorities 
are dynamic and pre-emption is global. The motivation for this theory originated in a desire to devise a 
compact model of real-time computation, and we devote significant space to establishing a tight connection 
between the seemingly different notions of priority and real-time [9]. For this purpose we equip our language 
with a dynamic priority semantics based on global pre-emption and refer to it as CCS dg (CCS with dynamic 
priority and global pre-emption). The connection with real-time arises when we interpret delays as priorities: 
the longer the delay preceding an action, the lower is its priority. This approach contrasts significantly with 
more traditional accounts of real-time, where the only notion of pre-emption arises in the context of the 
maximal progress assumption [13, 74] which states that time may only pass if the system under consideration 
cannot engage in any further internal computation. The main result of this section is the formalization of 
a one-to-one correspondence between the strong- bisimulation equivalences induced by dynamic priority and 
real-time semantics. 

Unlike the process algebras with priority considered so far, actions in CCS dg do have priority values 
that may change as systems evolve. Accordingly, we slightly alter our point of view regarding actions and 
priorities by separating action names from their priority values; that is, an action’s priority is no longer 
implicit in its port name. In this vein, we take the set of actions A to be {a, /?,...}. We also allow priority 
values to come from the full set N of natural numbers rather than a finite set. Our syntax of processes will 
then require that each action is equipped with a priority value taken from N. 

The structure of this section is as follows. Section 5.1 briefly presents a real-time semantics of our lan- 
guage, whereas the dynamic priority semantics is introduced in Section 5.2. The one-to-one correspondence 
is established in Section 5.3. Finally, Section 5.4 contains our concluding remarks and discusses related work. 
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5.1. Real-time Semantics. We first introduce a real-time semantics for our language, referred to as 
CCS rt semantics, which explicitly represents timing behavior. The semantics of a process is defined by a 
labeled transition system which contains explicit clock transitions - each representing a delay of one time 
unit - as well as action transitions . With respect to clock trai sitions, the operational semantics is set up 
such that processes willing to communicate with some process running in parallel are able to wait until the 
communication partner is ready. However, as soon as it is avai able, the communication has to take place, 
i-e., further idling is prohibited. This assumption is usually refe red to as maximal progress assumption [74] 
or synchrony hypothesis [13]. 

Formally, the labeled transition system corresponding to a process P is a four-tuple (V,A U {1}, i — », P) 
where V is the set of states, A U {1} the alphabet satisfying 1 g A, * — > is the transition relation, and P 
represents the start state. The transition relation > — > C P x P for clock transitions is defined in Table 5.1. 
Regarding action transitions, it coincides with the one for traditional CCS where the Rule (Act) is replaced 
by the axiom a:0.P P. For the sake of simplicity, we us< 7 as representative of A U {1}, and write 
P l ~^ P' instead of (P, 7, P*) £ 1 — >. If 7 £ A we speak oi an action transition , otherwise of a clock 
transition. Sometimes it is convenient to write P for 3 P' 0 V.P P'. In order to ensure maximal 
progress our operational semantics is set up in a way such that Ph^ whenever P i.e., clock transitions 
are pre-empted as long as P can engage in internal computation. 

Table 5.1 

Operational semantics for CCS' 1 


tNil 

tActl 

tSum 


0 t-U 0 

— ^ k > 0 

« : k.P a : (k — 1 ).P 

Ph-Up' q^q 1 

P + Qv-L ¥ p >t+Q> 


tRec 


Ppx.P/x] t-U P' 


tAct2 


O.Pi 


a:0.P 


tCom 


Ph-Up' 

P\Q H-U P'\Q> 


r\Q^h 


tRel 


P^P' 

P[f) -4 P'lf] 


tRes 



P> 

P’\L 


Intuitively, the process a: k.P, where k > 0, may engage in a clock transition and then behave like 
a:(k - 1 ).P. The process a :0.P performs an a transition to become process P. Moreover, if q ^ r, it may 
also idle by executing a clock transition to itself. Time has to proceed equally on both sides of summation, 
i.e., P + Q can engage in a clock transition and, thus, delay the nondeterministic choice if and only if both 
P and Q can engage in a clock transition, i.e., time is a deterministic concept. Similar to summation, P 
and Q have to synchronize on clock transitions according to Rule (tCom). Its side condition implements 
maximal progress by ensuring that there is no pending communication between P and Q. Although this 
condition is negative, our semantics is still well-defined [1, 72]. A semantic theory based on the notion of 
bisimulation [52] has been developed for CCS rt [55]. For the purposes of this section we restrict ourselves to 
strong temporal bisimulation, a congruence which is defined as lollows. 
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DEFINITION 5.1 (Temporal Bisimulation). A symmetric relation K C VxP is a temporal bisimulation if 
for every ( P,Q ) G Tv and 7 G *4U{1} the following holds: P 1 — ^ P* implies 3Q'.Q Q f and (P* ,Q') G Tv. 
We write P Q if (P,Q) G 1Z for some temporal bisimulation 7 Z. 

The reader might observe that CCS rt semantics unfolds every delay value into a sequence of elementary time 
units. For example, the process a\k. 0 has k + 2 states, namely 0 and a:LO where 0 < l < k (see also 
Figure 5.1 in Section 5.3). Representing a:k. 0 by a single transition labeled by a:k leading to the state 
0 would definitely be more efficient. This idea of compacting the state space of real-time systems can be 
implemented by viewing k as a priority value assigned to action a. In other words, one may consider the 
delay value k as the time-stamp of action a [43]. 

5.2. Dynamic Priority Semantics. In order to make the above intuition precise, we formally intro- 
duce CCS dg , i.e., a dynamic priority semantics for our language. The notion of pre-emption incorporated in 
CCS dg is similar to CCS sg ; it naturally mimics the maximal progress assumption employed in CCS rt semantics. 
Formally, the CCS dg semantics of a process P is given by a labeled transition system (V, A x N, — », P). The 
presentation of the operational rules for the transition relation — > requires two auxiliary definitions. 


Table 5.2 

Potential initial action sets for CCS de 


l k (a:l.P) 

= {a:Z|f = fc} 

l k (P\Q) 

= l k (P)ui k (Q)u{T-.k\i k (P)nl k (Q) ± 0} 

l k (P + Q) 

= I*(P)UI*(Q) 

i k (P[f}) 

= {/(a):/|«:;eI*(P)} 

l k (nx.P) 

= l k (P[nx.P/x]) 

I k (P\L) 

= {a:l e I*(P)|o i (LUL)} 


First, we introduce potential initial action sets as defined in Table 5.2, taking account of the actions 
and their priority values in which a given process can potentially engage. Note that these sets are only 
supersets of the initial actions of processes since they do not take pre-emption into account. However, this 
is sufficient for our purposes concerning pre-emption since r £ I <fc (P) if and only if l < k. P where 
I <k (P) = d f \J{l l (P) 1 1 <k} (cf. Section 3.6). 


Table 5.3 


Priority adjustment function 

[0]* 

= df 

0, [x] fc = d f X 

\nx.P) k 

— df 

[P\fix.p/x]] k 

[a:l.P] k 

— (If 

a:(l — k).P if l > k 

[n:l.P] k 

=df 

a :0.P if / < k 

[P + Q] k 

~ (if 

[P] fc + [Q) k 

[P|Q] fc 

— df 

\P} k \[QY' 

[P[f}) k 

=df 

[P] k [f] 

[P \ L] k 

— df 

[P] k \L 


As second auxiliary definition for presenting the transition relation, we introduce a priority adjustment 
function as shown in Table 5.3. Intuitively, our semantics is set up in a way such that if one parallel 
component of a process engages in a transition with priority k , then the priority values of all initial actions 
at every other parallel component have to be decreased by fc, i.e., those actions become equally “more 
urgent.” Thus, the semantics of parallel composition deploys a kind of fairness assumption, and priorities 
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have a dynamic character. More precisely, the priority adjustment function applied to a process P and a 
natural number k, denoted as [P] k , returns a process term whic 1 is “identical” to P except that the priority 
values of the initial, top-level actions are decreased by k. No e that a priority value cannot become less 
than 0. and the phrase “identical” does not mean syntactic equality but syntactic equality up to unfolding 
of recursion. 


Table 5.4 

Operational semantics for C CS dg 


Actl 


Suml 


u-.k.P -24 P 

P pf 

P + Q -2-4 P' 


l > k 


r i I<*(Q) 


Act2 


Suml! 


T-.k.P ^4 P 


p + q^Aq' 


t i i <k (P) 


Coml 


p a:fc ) p f 


P\Q^P‘\[Qf 


i I <fc (/>!<?) Rel 


P Q: ^ pf 

P[f ] f ^' P'[f] 


Com2 


Q -^4 Q' 


P\Q 2^4 [P] k \Q' 


t i \ <k {P\Q ) Res 


p Q ^ pf 


P\L 224 P'\L 


o^LUi 


Com3 


P 224 P' Q 224 Q' 
P\Q ^4 P'\Q' 


<*(C|0) Rec 1 z* g 


r i i<*(ci<?) 


px.p ^4 P' 


The opeiational rules in Table o.4 capture the following intuition. The process aik.P may engage in 
action a with priority value l > k yielding process P. The side condition l > k reflects that k does not specify 
an exact priority but the maximum priority of the initial transition of a.k.P. It may also be interpreted 
as lower-bound “timing constraint.” Due to the notion of pre-< mption incorporated in CCS d «, Tik.P may 
not. perform the initial r-transition with a priority value less tl an k. The process P + Q may behave like 
P {Q) if Q (P) does not pre-empt the considered transition by >eing able to engage in a higher prioritized 
internal transition. Thus, the notion of global pre-emption reflects implicit upper-bound “timing constraints.” 
The process P \ Q denotes the parallel composition of P and Q according to an interleaving semantics 
with synchronized communication on complementary actions of P and Q having the same priority value k 
winch results in the internal action r attached with priority v; lue k (cf. Rule (Com3)). The interleaving 
Rules (Coml) and (Com2) incorporate the dynamic behavior of priority values as explained in the previous 
paragraph. Their side conditions implement global pre-emption. The semantics for restriction, relabeling, and 
recursion is straightforward. As for CCS rt , we may adapt a notini of strong bisimulation, called prioritized 
bisimulation. 

Definition 5.2 (Prioritized Bisimulation). A symmetric relation Tl C V x V is called prioritized 
bisimulation if for { P,Q ) G Tl, a £ A, and k G N the following lolds: P ^4 P' implies 3 Q'.Q ^4 Q' and 
(P',Q'} G Tv. We write P ~ dg Q if there exists a prioritized bisi nulation Tl such that ( P.Q ) G Tl. 
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5.3. Relating Dynamic Priority and Real-time Semantics. In this section we show that CCS dg 
and CCS rt semantics are closely related. The underlying intuition is best illustrated by a simple example 
dealing with the prefixing operator. Figure 5.1 depicts the dynamic priority and real-time semantics of 
the process a:k. 0. Both transition systems intuitively reflect that the process a:k.O must at least delay k 
time units before it may engage in an a-transition. According to CCS rt semantics this process consecutively 
engages in k clock transitions passing the states a:(k — «).0, for 0 < i < k, before it may either continue 
idling in state a: 0.0 or perform an a-transition to the inaction process 0. Thus, time is explicitly part of 
states and made visible by clock transitions, each representing a step consuming one time unit. In contrast, 
the dynamic priority semantics encodes the delay of at least k time units in the transitions rather than in 
the states. Hence, it possesses only the two states a:A:.0 and 0 connected via transitions labeled by a:l for 
1 > k. Although at first sight it seems that the price for saving intermediate states is to be forced to deal 
with infinite-branching, an upper bound of l can be given. In our example this upper bound is k itself, since 
a delay by more than k time units only results in idling and does not enable new or disable existing system 
behavior. Therefore, the dynamic priority transition system of a:k . 0 just consists of the two states a:k . 0 
and 0 and a symbolic transition labeled by a: A;, whereas the real-time transition system has A* + 2 states and 
k - h 2 transitions. The following proposition formally states that CCS dg semantics can indeed be understood 
as an efficient encoding of CCS rt semantics. 



Fig. 5.1. Relating CCS dg and CCS rt semantics 

Proposition 5.3. Let P,P' e V, a € A, and k € N. Then 

p pt if and Qnly .jf 3 pn € p p ^1+kpn ^ p> 

Proposition 5.3 is the key to prove the main result of this section. 

Theorem 5.4. Let P, Q € V. Then P ~ dg Q if and only if P rt Q. 

Consequently, prioritized arid temporal bisimulation possess the same properties; especially, prioritized bisim- 
ulation is a congruence for CCS dg . Again, proof details can be found in [50]. 

5.4. Concluding Remarks and Related Work. As shown above, real-time semantics can be encoded 
by dynamic priority semantics. Moreover, the state spaces of CCS dg models are much smaller and the size of 
the transition relation is at least not worse, but in practice often better, than the one of corresponding CCS rt 
models. This has been demonstrated by formally modeling and verifying several aspects of the widely-used 
SCSI-2 bus-protocol [16], for which the state space of the dynamic priority model is almost an order of 
magnitude smaller than the one resulting from traditional real-time semantics. 
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Regarding related work, a similar approach has been made by Jeffrey [43] who has established a formal 
relationship between a quantitative real-time process algebra and a process algebra with static priority which 
is very similar to CCS sg presented in Section 3. Jeffrey also translates real-time to priority based on the 
idea of time-stamping. In contrast to CCS^ semantics, however, a process modeled in Jeffrey’s framework 
may either immediately engage in an action transition or idle forever. This semantics does not obey a 
characteristic of the behavior of reactive systems, namely that i process should wait until a communication 
partner becomes available, instead of engaging in a u iivelock.” It is only because of this assumption that 
Jeffrey does not need to choose a dynamic priority framework. 

In [21] a variant of CCSR [22] has been introduced which allows for modeling not only static priority 
but also dynamic priority. The main focus of CCSR involves the specification and verification of real-time 
concurrent systems, including scheduling behavior. Thus, a n< tion of dynamic priority, such as occurs in 
priority-inheritance and earliest- deadline- first scheduling algorithms, is crucial. In [21] dynamic priorities 
are given as a function of the history of the system under consideration, and the operational semantics of 
CCSR is re-defined to include the historical context. The authors show that dynamic priorities do, in general, 
not lead to a compositional semantics and give a sufficient condition that ensures compositionality. 


6. Priority in Other Process-algebraic Frameworks. This section completes the discussion of 
related work by focusing on approaches to priority which (i) d ) either not fit in our classification scheme 
presented in Section 1, such as approaches for ACP [4], SCCS [68], and stochastic [11, 39] or probabilistic [71, 
45, 69] process algebras, or (ii) are concerned with process-alg ’braie descriptions of non-process-algebraic 
languages, such as Esterel [12, 13] and Statecharts [36, 70]. 

Baeten, Bergstra, and Klop were the first researchers who investigated priorities in process algebras [4] 
by developing a notion of priority for the Algebra of Communicating Processes (ACP) [8] - a process algebra 
which is equipped with an axiomatic semantics. Their work is inspired by the insight that it is essential 
to incorporate an interrupt mechanism in process-algebraic fraireworks in order to enhance their expressive 
power as specification and verification formalisms for concurrent systems. Therefore, a piece of syntax 
together with semantics defining equations is introduced in [4]. E ased on a given partial order < on actions a 
unary operator 0 is defined. Intuitively, 0(P) is the context of P in which action a has precedence over action b 
whenever b < a, i.e., noil-deterministic choices between actions a and b are resolved within 9{P). Technically, 
the axiomatic semantics of the new language, notated as a term rewrite system , is shown to possess nice 
algebraic properties such as confluence and termination. The utility of the theory is demonstrated by simple 
examples dealing with interrupts, timeouts, and other aspects ff real-time behavior. The approach in [4] 
differs from most other work presented in [10] in that the partial order expressing priorities is fixed with 
respect to the system under consideration, i.e., the same priority relation holds at all states of the system. 
For example, if a < b at some state of the system, then a > b car not be valid at another state, i.e., priorities 
in [4] are not globally dynamic in the sense of [68]. It should i Iso be mentioned that the version of ACP 
used in [4] does not include a designated internal action, cf. a< tion r in CCS; a fact which simplifies the 
development of algebraic theories. 

Stochastic process algebras [11, 39], which enhance the expressiveness of classical process algebras by 
integrating performance descriptions of concurrent systems, ako define notions of priority. One example 
of a well-known stochastic process algebra is the Extended Marr.ovian Process Algebra (EMPA) [11] whose 
semantics is given in terms of strong bisimulation, and its static priority approach is adapted from CCS sg . 
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Smolka and Steffen [68] have introduced static priority to the Synchronous Calculus of Communicating 
Systems (SCCS) [52] by extending a probabilistic version of this language, known as PCCS [71], whose 
semantics is given in terms of probabilistic bisimulation . Their work shows that the concept of priority is not 
only related to real-time, as investigated in Section 5, but also to probability. The main idea in [68] is to 
allow probability guards of value 0 to be associated with alternatives of a probabilistic summation expression. 
Such alternatives can be chosen only if the non-zero alternatives are precluded by contextual constraints. 
Thus, priority may be viewed as an extreme case of probability. Most remarkably, the semantics developed 
in [68] does not employ a notion of pre-emption as one would expect from any priority setting. A conjecture 
- which if true would justify this situation - is that the very powerful hiding operator of SCCS may destroy 
the congruence property of bisimulation in the presence of pre-emption. 

Tofts has investigated another extension of SCCS, the Weighted Synchronous Calculus of Communicating 
Systems (WSCCS) [69]. Its semantics relies upon a notion of relative frequency which is suitable for specifying 
and reasoning about aspects of priority, probability, and time in concurrent systems. In this approach priority 
is encoded by means of higher ordinals; a transition has priority over another if their weights are separated 
at least by a factor of u ;. An operator similar to the 0-operator in [4] is defined which extracts the highest 
priority transitions enabled at a process state by referring to a global notion of pre-emption. In contrast 
to [4], Toft’s operator allows for different priority structures at different states. This concept of priority 
yields a simpler operational semantics than the one in [68]. For WSCCS, a congruence adapted from strong 
bisimulation together with an equational characterization, which is sound and complete for finite processes, 
has been developed. 

The concept of pre-emption has also been studied in other synchronous languages, most notably by 
Berry [12]. His technical framework is based on EstereVs zero-delay process calculus , a theoretical version 
of the Esterel synchronous programming language [13]. The calculus’ semantics interprets processes as 
deterministic mappings from input sequences to output sequences which obey maximal progress [74]. Berry 
emphasizes the importance of pre-emption in control-dominated reactive and real-time programming. He 
suggests pre-emption operators to be considered as first-class operators which are fully orthogonal with 
respect to all other primitives such as concurrency and communication. This is in contrast to the approach 
chosen for this article in which pre-emption is implicitly encoded as side conditions of operational rules 
involving nondeterminism. Several examples of useful pre-emption operators are presented and axiomatized 
in [12], all of which are based on the ideas of abortion and suspension. 

The specification language Statecharts [36], for which process-algebraic descriptions of Statecharts’ se- 
mantics have been developed [70], extends communicating finite automata by concepts of hierarchy and 
priority . In Statecharts static priorities can be expressed via the absence of actions, also called events , by 
permitting negated actions as guards, which are referred to as triggers. As an example, consider the follow- 
ing term describing a simple statechart: a : b. P + ->6: c. Q. This term consists of a nondeterministic choice 
between a 6-transition with guard a to process P, and a c-transition with guard -i6 to Q. Intuitively, the 
statechart may only engage in the latter transition if it cannot execute the former since this one produces 
the event b which falsifies the guard of the c-transition. Thus, the 6-transition is given precedence over the 
c- transit ion. In the following we argue that approaches to priority via negated events (cf. [34]) do not go well 
along with the concept of hiding which is used in many process algebras and also in a very popular variant of 
Statecharts, called ARGOS [51]. Hiding enables one to relabel a visible action into a distinguished invisible 
action (cf. the internal action r in CCS). The problem with hiding arises when several events are hidden, i.e., 
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ail of them are relabeled to the same event and, thus, have the same implicit priority value attached to them. 
Hence, hiding may destroy priority structures. However, in most other priority approaches considered in this 
paper priorities are assigned to transitions, thereby allowing for a more fine-granular priority mechanism and 
avoiding the above-mentioned problem. 

7. Conclusions and Directions for Future Work. Th s article has investigated various aspects of 
priority in process algebras. The utility of introducing priority 'o traditional process algebras is to enhance 
their expressiveness and, thereby, making them more attractive to system designers. 

7.1. Conclusions. We have illustrated the most important aspects of priority by defining a proto- 
type language which extends Milner’s Calculus of Communicat ng Systems (CCS). This language has been 
equipped with several semantics according to whether priorities are static or dynamic and whether the 
adapted notion of pre-emption is global or local. 

In practice it is easy to determine when to use a static piiority and when to use a dynamic priority 
semantics: for modeling interrupts and prioritized choice constiucts a static notion of priority is adequate, 
whereas for modeling real-time or scheduling behavior dynamic priorities should be considered. However, 
static priority approaches may also allow for the description of a few, very simple scheduling algorithms, 
as has been shown in [44] in the presence of a prioritized parallel composition operator. In addition to the 
dynamic priority approach’s ability to express more general scheduling algorithms, it also leads to a more 
efficient verification of real-time systems since the sizes of system models with respect to dynamic priority 
semantics are often several orders of magnitude smaller than the ones regarding real-time semantics [16]. If 
one needs to deal with both interrupt and real-time aspects at die same time, static and dynamic priority 
approaches must be combined. In this situation each action should be assigned two priority values, the first 
interpreted as a global priority value for scheduling purposes and the second interpreted as a local priority 
value for modeling interrupts, where the first priority value has more weight than the second one. 

Suitable guidelines supporting the decision in favor of a global or a local notion of pre-emption are the 
following. A semantics obeying global pre-emption is required when modeling interrupts and prioritized- 
choice constructs in concurrent, centralized systems or when specifying real-time and scheduling aspects. 
Global pre-emption also allows for making executions of actioi sequences atomic. This can be necessary 
for modeling systems accurately and, as a desired side effect, ketps system models small, thereby enhancing 
the efficiency of verification procedures [28]. However, when dealing with interrupts or prioritized-choice 
constructs within distributed systems the concept of global pre-e nption is inadequate. Here, the use of local 
pre-emption does not only lead to an intuitive but also to an niplementable semantics since it does not 
require any knowledge about computations which are internal tc other, potentially unknown sites (cf. [26]). 

Technically, the three different calculi presented in Sections 3 5 have been equipped with a bisimulation- 
based semantics. The re- development of the semantic theory of XS for the static priority calculi included: 
(i) characterizations of the largest congruences contained in the naive adaptations of the standard strong 
and weak bisimulations, (ii) encodings of the new behavioral relations as standard strong bisimulations on 
enriched transition relations, and (iii) axiomatic characterizatiors of the prioritized strong bisimulations for 
finite processes. For the dynamic priority calculus strong bisimul ition has been served as a semantic tool for 
establishing a one-to-one correspondence between dynamic priori y and real-time semantics. Finally, observe 
that our semantic theories show that extensions of process algeb ras by priority do not need to sacrifice the 
simplicity and the elegance that have made traditional process-algebraic approaches successful. 
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This article has also surveyed related approaches to priority which are concerned with different process- 
algebraic calculi. We have classified them according to whether priorities are considered to be static or 
dynamic and whether their concept of pre-emption is global or local. The concept of priority has also been 
investigated in other concurrent frameworks, most notably in Petri Nets [14, 67]. In this setting priorities 
are either expressed explicitly by priority relations over transitions [15] or implicitly via inhibitor arcs [42]. 
Finally, it should be mentioned that priorities can implicitly arise when studying causality for mobile processes 
(see e.g. [30]). In these approaches, priorities cut off superfluous paths that only present new temporal but 
not causal dependencies of systems. 

7.2. Future Work. In addition to the fact that a calculus combining dynamic priority and local pre- 
emption has not been developed, yet, also the semantic theories for CCS sg and CCS sl need to be completed 
by axiomatizing their observational congruences. For finite processes, one should be able to establish these 
axiomatizations using standard techniques [53]. However, for regular processes, i.e., the class of finite-state 
processes not containing recursion through static operators, it is not clear how to obtain completeness. The 
point is that existing methods for proving completeness of axiomatizations with respect to observational 
congruences rely on the possibility to remove or to insert r-cycles in processes [53]. In the context of pre- 
emption, however, this w T ould possibly change the pre-emption potential of processes and is, thus, semantically 
incompatible with the prioritized observational congruences presented here. Recently, a similar problem has 
been attacked in [38] for a stochastic timed process calculus with maximal progress. The definition of 
observational equivalence employed in that paper differs from Milner’s original one by adding a notion of 
fairness which is sensitive to escaping divergence, i.e., infinite internal computation. However, the authors 
conjecture that their technique can be adapted to priority frameworks, too. 

Most process algebras which have been equipped with a notion of priority rely on an interleaving se- 
mantics, handshake communication, and a semantic theory based on bisimulation. It should be investigated 
in which sense the presented approaches and results, especially regarding local pre-emption, can be adapted 
to broadcasting calculi such as Hoare’s CSP [40]. Moreover, since for semantics based on local pre-emption 
the usual interleaving law is not valid, it is w r orth pursuing local pre-emption for non-interleaving semantic 
frameworks [3, 73]. Preliminary considerations have been made in Jensen’s thesis [44]. However, the insights 
obtained by Jensen are restricted to a structural operational semantics for a CCS-based calculus w hich is 
defined using asynchronous transition systems [73]. Jensen’s results do not comprise a behavioral relation 
such as bisimulation (cf. [57]). Finally, we w r ant to note that - to the best of our knowledge - extensions of 
higher-order process algebras [54, 62] with concepts of priority do not yet exist. Thus, it w r ould be interesting 
to see if some of the presented approaches can be carried over straightforwardly or if any semantic difficulties 
regarding pre-emption arise. 

8. Sources and Acknowledgments. Major parts of this article have been adapted from several 
publications by the authors which include two Ph.D. theses: the results of Section 3 are taken from [25, 50, 
58, 59] and the ones of Section 4 from [27, 50]; Section 5 heavily borrow's from material contained in [16, 50]. 
The authors w r ould like to thank Girish Bhat, Matthew 7 Hennessy, Michael Mendler, and Bernhard Steffen 
for many discussions about priority in process algebras. 
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